Security

By adminUncategorized

On a typical Carbonio installation, the rules in this section describe how to implement security.

Place an SSL Certificate in Use

We describe how to add an SSL/TLS certificate to a Carbonio installation in this section, including how to add a certificate for a single server or a wildcard certificate. Let’s Encrypt certificate installation and maintenance are supported by Carbonio; you may find instructions for doing so in a specific page on the Zextras Community portal.

This configuration is required if Carbonio is used in combination with mobile apps; it is also advised for any installation to prevent the client browser’s connection-related warning about an invalid certificate.

Installation of Commercial Certificates

We’ll explain the process while accounting for the following circumstance:

  • The FQDN of the server is mail.example.com.
  • There isn’t a valid SSL certificate for the domain.

Replace mail.example.com with your actual server’s FQDN in the remaining text.

There are only a few stages to the process, which need Carbonio server console access.

Step 1: Creation of a Certificate Signing Request

We begin by producing a CSR:

where the subject’s different elements correspond to the required fields for an SSL certificate:

  • C: The country’s two-digit code
  • ST: Province or State
  • L: City
  • Name of the Organisation
  • OU stands for Organisation Unit (Department).
  • Compound Name

These files will be created after the command has been run:

Get the certificates from your SSL supplier in step two.

You must submit the CSR to the SSL provider, obtain a commercial certificate in PEM format, and store it as /opt/zextras/ssl/carbonio/commercial/commercial.crt in order to properly finish this step.

Additionally, SSL providers give a packaged certificate file (referred to as a “Full Chain CA”) that must be stored as /opt/zextras/ssl/carbonio/commercial/commercial_ca.crt. This file also contains the intermediate certificate and the so-called Root CA.

Step 3: Verify and implement

To ensure that the certificate and your private key are compatible, use the instructions below:

  • enter the directory containing the certificates as the zextras user:
  • Check the certifications.
  • You can use the SSL certificate after a successful verification.
  • Restart Carbonio to finish.

Your certificate ought to now be set up: Run the following command to confirm the certificate’s details

Installing Wildcard Certificates

We employ the same server with the FQDN mail.example.com to explain this process, but in this instance a wildcard SSL certificate for the domain *.example.com already exists and was created on a server other than Carbonio’s.

As a result, you possess all the required documents, making the process easier in this instance.

Step 1: Certificate setup

The current PEM certificate must be saved as /opt/zextras/ssl/carbonio/commercial/commercial.crt, and its private key must be saved as /opt/zextras/ssl/carbonio/commercial/commercial.key.

To combine the two certificates into one, navigate to /opt/zextras/ssl/carbonio/commercial/ and do as follows:

Verification and deployment in Step 2

To ensure that the certificate and your private key are compatible, use the instructions below:

enter the directory containing the certificates as the zextras user:

Check the certifications.

You can use the SSL certificate after a successful verification.

Restart Carbonio to finish.

Your certificate ought to now be set up: Run the following command to confirm the certificate’s details:

The Carbonio installation should have a DKIM record added.

The instructions in this section explain how to add a DKIM record to the DNS of a domain that is under the control of a Carbonio installation.

Establish a DKIM record.

There are two processes involved in creating a new DKIM record. As per usual, the domain name in our example is example.com; please substitute your own domain name here.

Test and Verify Several tests may be performed to ensure that DKIM has been appropriately added to the domain DNS and is functioning properly to sign outgoing emails.

Carbonio Integrated Services

Carbonio comes with a number of tools and functions by default that assist in controlling email flow and detecting dangerous information in emails and their attachments. Additionally, users can be given authority to administer certain areas of the Carbonio server by assigning them to particular users. They are introduced in this section.

Protection from viruses and spam

The Clam Anti-Virus (ClamAV) and SpamAssassin software, which offer anti-Virus and anti-Spam functions respectively, and the Carbonio MTA are connected through the Amavisd tool.

Anti-Virus Defence

ClamAV, which is the virus prevention engine enabled on each Carbonio server, is the de facto Open Source standard for antivirus software.

The virus quarantine mailbox is where mails that have been recognised by ClamAv as harbouring a virus are moved from the Inbox. By default, ClamAv virus signature updates are downloaded every two hours.

Anti-Spam Defence

With the use of signatures kept in either a BerkeleyDB or a MariaDB database, Carbonio employs SpamAssassin to recognise unsolicited commercial e-mail (spam) or e-mail containing dangerous material.

To offer more security against mail server overload, the Postscreen function can be activated.

Getting at Blocked Emails

Regular users cannot read emails that have been preserved in the quarantine mailbox because they are saved in a special account that is not available from the accounts list.

You must enter into the domain as an Administrator or as a Delegated Admin with access to the quarantine and type the phrase “virus” into the search bar to locate emails that have been placed in quarantine. The outcome will be a user account with the name “virus-quarantine.”string>@example.com, where string> is a string that was produced at random. Click it with the right mouse button, then choose View mail. This will allow you to check the emails in that account’s inbox.

Protecting LDAP

By default, Carbonio uses the SHA-512 algorithm for LDAP passwords. Although there are no known flaws in this method, some institutions could need a more secure approach.

Since version 23.4.0, Carbonio supports the Argon2 algorithm for LDAP password storing.

Although SHA-512 is still the default for Carbonio installations, it is feasible to enable the new algorithm using a straightforward two-step process.

However, it is advised to create a dump of the LDAP database before beginning the operation, using the instructions and commands listed in Upgrade’s section Preliminary Tasks.

The initial part of the process is up to the administrator, who must run the script below as the zextras user in order to activate the new Argon2 algorithm.

Argon2 will be used by default for new passwords after the script has successfully run. All future LDAP passwords will be kept in Argon2 going forward. However, existing passwords will continue to utilise SHA-512.

The second step is, in fact, up to the users: Argon2 will only be used to store each user’s password once they update it.

Switch off Amavis Anti-Virus

When utilising an external anti-virus engine or analysing an MTA issue in a test environment, for example, an administrator may wish or need to stop Carbonio’s internal anti-virus engine, amavis.

In certain circumstances, the CLI’s command can be used to manually disable the status of Amavis.

The status of the variable and the service may both be checked at any time with


Leave a Reply

Your email address will not be published. Required fields are marked *