Security
This section covers security considerations for a typical Carbonio installation.
Install an SSL Certificate
This section describes how to add an SSL/TLS certificate to a Carbonio installation, including both a single server certificate and a wildcard certificate. Carbonio supports the installation and maintenance of Let’s Encrypt certificates; detailed instructions are available on the Zextras Community page.
This configuration is required if Carbonio is used in combination with mobile applications; it is also recommended for any installation to prevent the client browser’s warning about an invalid certificate upon connecting.
See also
You can manage SSL domain certificates from the Carbonio Admin Panel: check out Virtual Hosts & Certificate.
Installation of Commercial Certificates
We will describe the technique by using the following scenario:
The FQDN of the server is mail.example.com.
The domain does not have an SSL certificate.
Replace mail.example.com with your actual server FQDN in the remainder.
The technique is simple and involves console access to the Carbonio server.
Step 1: Create a Certificate Signing Request.
We begin by creating a CSR:
# /opt/zextras/bin/zmcertmgr createcsr comm -new -subject \
"/C=IT/ST=VR/L=Yourtown/O=YourCompany/OU=SampleDepartment/CN=mail.example.com" \
-subjectAltNames mail.example.com
Where the different items in the topic are the typical SSL certificate fields:
C: the two-letter country code
ST: stands for State or Province.
L: City
O: Name of Organisation
OU: OU stands for Organisation Unit (Department)
CN: CN stands for Common Name.
Note
You can optionally include more than one (alternative) name by simply adding to the end of the command one ore more -subjectAltNames options, followed by the name to add.
Following the execution of the command, the following files will be generated:
# /opt/zextras/ssl/carbonio/commercial/commercial.key
# /opt/zextras/ssl/carbonio/commercial/commercial.csr
Step 2: Obtain your SSL certificates from your SSL supplier.
To successfully finish this step, send the CSR to the SSL provider and obtain a commercial certificate in PEM format, which you should store as /opt/zextras/ssl/carbonio/commercial/commercial.crt.
Furthermore, SSL providers include the intermediate certificate as well as the so-called Root CA in a packaged certificate file (“Full Chain CA”), which must be stored as /opt/zextras/ssl/carbonio/commercial/commercial_ca.crt.
Step 3: Validation and deployment
To ensure that the certificate and your private key match, run the following commands:
become the
zextrasuser# su - zextrasGo to the directory where the certificates are kept as the zextras user:
zextras$ cd /opt/zextras/ssl/carbonio/commercialcheck the certificates
zextras$ zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt
If the verification is successful, the SSL certificate can be deployed.
# zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
Finally, relaunch Carbonio.
# zmcontrol restart
Your certificate should now be ready to use: Run the following command to validate the certificate details:
# zmcertmgr viewdeployedcrt
Installation of a Wildcard Certificate
To demonstrate this technique, we utilise the same server with the FQDN mail.example.com, but there is already a wildcard SSL certificate for domain *.example.com that was produced on a server different than Carbonio’s.
As a result, you have all of the required credentials, and the method is simpler in this situation.
Step 1: Create certificates
Save the current PEM certificate and private key as /opt/zextras/ssl/carbonio/commercial/commercial.crt
and /opt/zextras/ssl/carbonio/commercial/commercial.key respectively.
Now, navigate to /opt/zextras/ssl/carbonio/commercial/ and merge the two certificates into a single one:
# cat commercial.crt commercial.key > commercial_ca.crt
Step 2: Validation and deployment
To ensure that the certificate and your private key match, run the following commands:
become the
zextrasuser# su - zextrasGo to the directory where the certificates are kept as the zextras user:
zextras$ cd /opt/zextras/ssl/carbonio/commercialcheck the certificates
zextras$ zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt
If the verification is successful, the SSL certificate can be deployed.
# zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
Finally, relaunch Carbonio.
# zmcontrol restart
Your certificate should now be ready to use: Run the following command to validate the certificate details:
# zmcertmgr viewdeployedcrt
Insert a DKIM Record into the Carbonio Installation
This section describes how to add a DKIM record to the domain maintained by a Carbonio installation’s DNS.
Create a DKIM Record
Two steps are required to produce a fresh DKIM record. In this situation, we’re using example.com as the domain name, as is customary: replace it with the real domain name.
Step 1: Generate DKIM record
Execute the following command to generate a new DKIM record for the domain.
# /opt/zextras/libexec/zmdkimkeyutil -a -d example.com
The output will be similar to the following:
DKIM Data added to LDAP for domain example.com with selector D43CB080-8FE0-11EC-88DF-9958FFC5EFF5
Public signature to enter into DNS:
D43CB080-8FE0-11EC-88DF-9958FFC5EFF5._domainkey IN TXT ( "v=DKIM1; k=rsa; ""p=MIIBIjANBgkqhkiG9w0BAQEFA
AOCAQ8AMIIBCgKCAQEA6fn7z208Gj/UVAL29CeKxhyHrRnals/qs4kWxnWuPK+ogDQjZoD0aUIv6QkUX6Y/KSYUd9qHEy1I7pSNIlyS
ecqeq/YsP5zXzoKD7WmLfE0PGIx0CEtsn4h4MJucm+LNVKziSPVzkVZ0rku15BaBO1bpFd7bvkXMffei3cc2zwrFmFSDVB5P84k1na+
5p1o4NBq3SDn8fks9r6""CJ7dAZQ3LazNmAgenMldkWC7tv+/25CStiz3QQ4GqCn4tp0VW3hWOQm6tRSe1yHEG10XT2cSieFM1w0GzB
XZZEedCK1POmFoOKwgqraxJtqiPdM7i+mjUOy7w1uqJa4fyxjbVp0QIDAQAB" ) ; ----- DKIM key D43CB080-8FE0-11EC-88D
F-9958FFC5EFF5 for example.comStep 2: Add DKIM record to DNS settings
Edit the DNS settings of the domain and create a new record as follows, using the output of the previous command.
Create a new record of type TXT with name D43CB080-8FE0-11EC-88DF-9958FFC5EFF5._domainkey
As value of the new record, copy and paste the string within the
(braces)and make sure that the value does not contain any newline (that is, the value is written on one line):v=DKIM1; k=rsa; ""p=MIIBIjANBgkqhkiG9w0BAQEFA AOCAQ8AMIIBCgKCAQEA6fn7z208Gj/UVAL29CeKxhyHrRnals/qs4kWxnWuPK+ogDQjZoD0aUIv6QkUX6Y/KSYUd9qHEy1I7pSNIlyS ecqeq/YsP5zXzoKD7WmLfE0PGIx0CEtsn4h4MJucm+LNVKziSPVzkVZ0rku15BaBO1bpFd7bvkXMffei3cc2zwrFmFSDVB5P84k1na+ 5p1o4NBq3SDn8fks9r6""CJ7dAZQ3LazNmAgenMldkWC7tv+/25CStiz3QQ4GqCn4tp0VW3hWOQm6tRSe1yHEG10XT2cSieFM1w0GzB XZZEedCK1POmFoOKwgqraxJtqiPdM7i+mjUOy7w1uqJa4fyxjbVp0QIDAQAB"
Warning
Depending on the DNS, it is possible that you need to remove the double quotes, the white spaces, or both!
Test and Verify
Several tests may be performed to ensure that the DKIM has been appropriately added to the domain DNS and is working properly to sign outgoing e-mails.
TXT record test
To check that the TXT record has been added to the DNS, issue the following command from any Linux box.
# nslookup -type=txt D43CB080-8FE0-11EC-88DF-9958FFC5EFF5._domainkey.example.com
Make sure that you use the same name used when creating the TXT record.
If the DKIM record has been added correctly, the output contains the record, starting with v=DKIM1. Otherwise, if the DKIM record has not been set correctly, or if there was some issue in retrieving it, you will not see the string v=DKIM1 in the output.
DKIM service enabled
The openDkim service must be running on the Carbonio installation for the outgoing e-mails to be correctly signed. This can be verified in the output of the command
# carbonio prov gs $(zmhostname)|grep -i service
must contain the line:
zimbraServiceEnabled: opendkimE-mail signature test
To verify that an outgoing e-mail has been correctly signed, the easiest way is to send an e-mail from the domain to a third-party address. The e-mail receiver can then look at the source code of the e-mail (The option is usually called View e-mail source code, Show original, Show e-mail headers or similar in any e-mail client).
In the source code, you should see a line similar to the following:
tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1 ... dkim=pass (2048-bit key) header.d=example.com
Make sure your actual domain name is present instead of example.com.
Carbonio Integrated Services
Carbonio includes by default a number of tools and functions that aid in the management of email traffic and the detection of dangerous information in emails and attachments. Furthermore, rights may be provided to certain users and delegated for the control of Carbonio server components. This section introduces them briefly.
Anti-Virus and Anti-Spam Defence
The Amavisd tool serves as a bridge between the Carbonio MTA and the Clam Anti-Virus (ClamAV) and SpamAssassin software, which provide anti-virus and anti-spam functionality, respectively.
Anti-Virus Defence
ClamAV is the de-facto Open Source anti-virus software standard, and it is the virus prevention engine that is activated on each Carbonio server.
ClamAv is set up to transport mails that have been recognised as containing a virus from the Inbox to a designated virus quarantine mailbox. ClamAv virus signature updates are downloaded every two hours by default.
Anti-Spam Defence
Obtaining Access to Qurantined E-mails
E-mails kept in the quarantine mailbox are not available to normal users and are preserved in a separate account that cannot be accessed from the accounts list.
To discover quarantined e-mails, log in to the domain as an Administrator or a Delegated Admin with quarantine access, then search for the phrase virus in the search box. As a consequence, an account with the name virus-quarantine.@example.com will be created, where is a randomly generated string. Select View mail from the context menu by right-clicking on it. This will access the account’s inbox, where you may check your e-mails.
Protecting LDAP
Carbonio’s LDAP passwords employ the SHA-512 algorithm by default. While this algorithm is safe and has no known flaws, some institutions may require a more secure method.
Carbonio now supports LDAP password storing using the Argon2 algorithm as of version 23.4.0.
SHA-512 remains the default algorithm for Carbonio installations, however the new algorithm may be enabled via a two-step procedure.
However, before beginning the operation, it is recommended that an LDAP database dump be created using the instructions and commands described in Upgrade’s section Preliminary Tasks..
The initial part of the operation is up to the administrator, who must run the following script as the zextras user to activate the new Argon2 algorithm.
zextras$ /opt/zextras/libexec/scripts/migrate20230217-AddArgon2.pl
When the script is finished, Argon2 will be set as the default password for new passwords. Passwords for all new LDAP accounts will now be saved using Argon2. Existing passwords, on the other hand, will continue to utilise SHA-512.
The second stage is entirely up to the users: each user’s password will be saved in Argon2 only when they update it.
Hint
The Administrator can force a user to change password from the Carbonio Admin Panel by enabling option This user must change password, that appears in tab General when editing a user under . See section Accounts for details.
Amavis Anti-Virus should be turned off.
There are times when an Administrator wants or has to disable Carbonio’s internal anti-virus engine, amavis, such as when utilising an external anti-virus engine or investigating an MTA issue in a test environment.
In such instances, the status of amavis can be manually deactivated via the CLI with the command
zextras$ carbonio prov mcf carbonioAmavisDisableVirusCheck TRUE
You may check the status of the variable and the service at any time.
zextras$ carbonio prov gcf carbonioAmavisDisableVirusCheck
Note
If you never modified the value of the variable, this command may return no output, meaning that amavis is running.