This section covers security considerations for a typical Carbonio installation.
Install an SSL Certificate
This section describes how to add an SSL/TLS certificate to a Carbonio installation, including both a single server certificate and a wildcard certificate. Carbonio supports the installation and maintenance of Let’s Encrypt certificates; detailed instructions are available on the Zextras Community page.
This configuration is required if Carbonio is used in combination with mobile applications; it is also recommended for any installation to prevent the client browser’s warning about an invalid certificate upon connecting.
You can manage SSL domain certificates from the Carbonio Admin Panel: check out Virtual Hosts & Certificate.
Installation of Commercial Certificates
We will describe the technique by using the following scenario:
The FQDN of the server is mail.example.com.
The domain does not have an SSL certificate.
Replace mail.example.com with your actual server FQDN in the remainder.
The technique is simple and involves console access to the Carbonio server.
Step 1: Create a Certificate Signing Request.
We begin by creating a CSR:
# /opt/zextras/bin/zmcertmgr createcsr comm -new -subject \"/C=IT/ST=VR/L=Yourtown/O=YourCompany/OU=SampleDepartment/CN=mail.example.com"\
Where the different items in the topic are the typical SSL certificate fields:
C: the two-letter country code
ST: stands for State or Province.
O: Name of Organisation
OU: OU stands for Organisation Unit (Department)
CN: CN stands for Common Name.
You can optionally include more than one (alternative) name by simply adding to the end of the command one ore more -subjectAltNames options, followed by the name to add.
Following the execution of the command, the following files will be generated:
Step 2: Obtain your SSL certificates from your SSL supplier.
To successfully finish this step, send the CSR to the SSL provider and obtain a commercial certificate in PEM format, which you should store as /opt/zextras/ssl/carbonio/commercial/commercial.crt.
Furthermore, SSL providers include the intermediate certificate as well as the so-called Root CA in a packaged certificate file (“Full Chain CA”), which must be stored as /opt/zextras/ssl/carbonio/commercial/commercial_ca.crt.
Step 3: Validation and deployment
To ensure that the certificate and your private key match, run the following commands:
become the zextras user
# su - zextras
Go to the directory where the certificates are kept as the zextras user:
zextras$ cd /opt/zextras/ssl/carbonio/commercial
check the certificates
zextras$ zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt
If the verification is successful, the SSL certificate can be deployed.
# zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
Finally, relaunch Carbonio.
# zmcontrol restart
Your certificate should now be ready to use: Run the following command to validate the certificate details:
# zmcertmgr viewdeployedcrt
Installation of a Wildcard Certificate
To demonstrate this technique, we utilise the same server with the FQDN mail.example.com, but there is already a wildcard SSL certificate for domain *.example.com that was produced on a server different than Carbonio’s.
As a result, you have all of the required credentials, and the method is simpler in this situation.
Step 1: Create certificates
Save the current PEM certificate and private key as /opt/zextras/ssl/carbonio/commercial/commercial.crt
and /opt/zextras/ssl/carbonio/commercial/commercial.key respectively.
Now, navigate to /opt/zextras/ssl/carbonio/commercial/ and merge the two certificates into a single one:
Make sure that you use the same name used when creating the TXT record.
If the DKIM record has been added correctly, the output contains the record, starting with v=DKIM1. Otherwise, if the DKIM record has not been set correctly, or if there was some issue in retrieving it, you will not see the string v=DKIM1 in the output.
DKIM service enabled
The openDkim service must be running on the Carbonio installation for the outgoing e-mails to be correctly signed. This can be verified in the output of the command
# carbonio prov gs $(zmhostname)|grep -i service
must contain the line:
E-mail signature test
To verify that an outgoing e-mail has been correctly signed, the easiest way is to send an e-mail from the domain to a third-party address. The e-mail receiver can then look at the source code of the e-mail (The option is usually called View e-mail source code, Show original, Show e-mail headers or similar in any e-mail client).
In the source code, you should see a line similar to the following:
Make sure your actual domain name is present instead of example.com.
Carbonio Integrated Services
Carbonio includes by default a number of tools and functions that aid in the management of email traffic and the detection of dangerous information in emails and attachments. Furthermore, rights may be provided to certain users and delegated for the control of Carbonio server components. This section introduces them briefly.
Anti-Virus and Anti-Spam Defence
The Amavisd tool serves as a bridge between the Carbonio MTA and the Clam Anti-Virus (ClamAV) and SpamAssassin software, which provide anti-virus and anti-spam functionality, respectively.
ClamAV is the de-facto Open Source anti-virus software standard, and it is the virus prevention engine that is activated on each Carbonio server.
ClamAv is set up to transport mails that have been recognised as containing a virus from the Inbox to a designated virus quarantine mailbox. ClamAv virus signature updates are downloaded every two hours by default.
Carbonio employs SpamAssassin to detect unsolicited commercial e-mail (spam) or e-mail containing harmful material using signatures saved in either a BerkeleyDB or a MariaDB database.
To give further protection against mail server overload, the Postscreen feature can be enabled.
Obtaining Access to Qurantined E-mails
E-mails kept in the quarantine mailbox are not available to normal users and are preserved in a separate account that cannot be accessed from the accounts list.
To discover quarantined e-mails, log in to the domain as an Administrator or a Delegated Admin with quarantine access, then search for the phrase virus in the search box. As a consequence, an account with the name virus-quarantine.@example.com will be created, where is a randomly generated string. Select View mail from the context menu by right-clicking on it. This will access the account’s inbox, where you may check your e-mails.
Carbonio’s LDAP passwords employ the SHA-512 algorithm by default. While this algorithm is safe and has no known flaws, some institutions may require a more secure method.
Carbonio now supports LDAP password storing using the Argon2 algorithm as of version 23.4.0.
SHA-512 remains the default algorithm for Carbonio installations, however the new algorithm may be enabled via a two-step procedure.
However, before beginning the operation, it is recommended that an LDAP database dump be created using the instructions and commands described in Upgrade’s section Preliminary Tasks..
The initial part of the operation is up to the administrator, who must run the following script as the zextras user to activate the new Argon2 algorithm.
When the script is finished, Argon2 will be set as the default password for new passwords. Passwords for all new LDAP accounts will now be saved using Argon2. Existing passwords, on the other hand, will continue to utilise SHA-512.
The second stage is entirely up to the users: each user’s password will be saved in Argon2 only when they update it.
The Administrator can force a user to change password from the Carbonio Admin Panel by enabling option This user must change password, that appears in tab General when editing a user under Domains ‣ Accounts. See section Accounts for details.
Amavis Anti-Virus should be turned off.
There are times when an Administrator wants or has to disable Carbonio’s internal anti-virus engine, amavis, such as when utilising an external anti-virus engine or investigating an MTA issue in a test environment.
In such instances, the status of amavis can be manually deactivated via the CLI with the command