Domains

The Domain page allows the management of domains and of related settings, including individual accounts, user quota and authentication, mailing lists, and more.

When opening this page, the list of all configured domain presented. To choose a domain an show its configuration, click it on the list or start typing its name in the text box below the Domain label.

The following sections are available in the page: domain details and domain management.

Create New Domain

To create a new domain, fill in the form that opens upon clicking the CREATE button.

Options for Domain acme.example

Two types of options are available during the creation of a new domain:

• General information

  The only mandatory data to supply it the domain name, which is its FQDN. All other data are optional and can be set at a later point.

  Important options that can be configured during the domain creation are the total number of accounts that can be managed for the domain and the e-mail quota. Also a description can be added.

• GAL settings

  Except for the GAL mode, currently only Internal, it is possible to define the account used to synchronise GAL information, the mail server used, which must be on the same domain (or in a compatible one, i.e., in a valid alias URL, see section Virtual Hosts & Certificate below).

The image below shows how a sample domain is created.

Further configuration option for the domain, including how to configure authentication and accounts in the domain, can be found in the Domain Details section.

Domain Details

In the various subsection present in Domain Details, it is possible to refine the configuration of the domain. Values for most of the options (for example the Time Zone), if not specified for a given domain, are inherited from the main domain defined.

General Settings

General setting influence the basic domain configuration; most of them appear during the creation of the domain. Additional options allow to define the time zone, the use of HTTP or HTTPS protocol (we suggest using always the latter), and a mail server used for spam-relay purposes.

Moreover, a default COS and its status can be attached to the domain.

COS statuses

A COS can be defined for a whole domain or an account and determines its status, that is, its ability to log in to the domain and access the e-mail. If the domain COS and a user’s COS differ, the resulting status of the account is shown. Each COS can be defined with one of the following five values.

1. Active. The COS is enabled, therefore the domain and its accounts can be used for everyday operations.

2. Closed. The domain is shut down, no access is granted, and all incoming e-mails are rejected.

   Hint

   This status overrides the individual accounts COS status.

3. Locked. In this state, user access is not possible, unless individual accounts are marked as Active. Incoming e-mails are regularly delivered to the accounts.

4. Maintenance. Users can not log in, their incoming e-mails are not delivered but are kept in a queue by the MTA. If the account’s status is closed, it overrides the domain status setting, that is, the user’s incoming e-mails are rejected.

5. Suspended. A status similar to maintenance, with the difference that no accounts or distribution lists can be changed. If the account’s status is closed, it overrides the domain status setting, that is, the user’s incoming e-mails are rejected.

We build on the domain created in previous section and attach some property.

Public Service Protocol

Force clients to connect only using https.

Public Service Host Name

It is the FQDN (mail.acme.example) used by clients to connect to the domain and must correspond to the DNS A record to be reachable publicly. If the A record is set to a private IP address, to reach the WebGUI you need some mechanism, like e.g., a VPN tunnel.

Time Zone

The timezone is set to Hawaii’s time.

Default Class of Service

The COS used by the domain, which is left to the default one.

At the bottom of the page, button DELETE DOMAIN allows to delete the domain. When clicked, a dialog will open, listing all items defined on the domain (Accounts, mailing lists, resources, and so on) and that will be deleted together with the domain. Two choices are available: to Close the domain, keeping all items but preventing access, or Remove the domain and all its items.

Warning

The removal of the domain is an operation that can not be undone: all the items are gone forever.

Global Address List

A GAL is a special account (“GALSync Account”) that contains all e-mail accounts configured on the server and provides the ability to quickly search e-mail addresses, for example when composing an email or adding participants to an event in the Calendar. A GAL can be internal when configured on Carbonio CE, external (when configured on the LDAP used by Carbonio CE, or both. In this page you see the email-address of the GALSync account, you can change it from external to internal, or vice versa, or both. you can also remove it, create it if missing, and change some of its options.

The GALSync account is updated regularly, according to the interval specified in the Settings section of the page. Administrators can force a resynchronisation of all GALs defined on a domain by clicking the RE-SYNC button.

Virtual Hosts & Certificate

A Virtual Host is an alternative name given to a domain that can be used to access the same domain. To be able to use the virtual host, the name must be registered on the domain’s DNS with an A record.

To each virtual host you can associate an SSL certificate. Carbonio CE supports the upload of multiple SSL domain certificates from the Carbonio Admin Panel and associate them to different domains, a procedure that requires only a few steps.

Note

The generation of server-side certificates directly on Carbonio CE and the management of wildcard certificate are tasks that can be carried out from the CLI only: check out section Deploy an SSL Certificate if you need to use either of them.

Select the virtual host, then click UPLOAD AND VERIFY CERTIFICATE. In the dialog, you can choose to use:

• A Let’s Encrypt longChain Certificate, i.e., including an intermediate certificate. Make sure to satisfy the requirements before clicking the GENERATE CERTIFICATE button. Complete the procedure according to the directions below.

• A Let’s Encrypt shortChain Certificate, without intermediate certificate: like the previous case, make sure to satisfy the requirements before clicking the GENERATE CERTIFICATE button. Complete the procedure according to the directions below.

  Let’s Encrypt’s Short and Long Chain certificates.

  Without going into much details, the difference between the two types of certificates issued by Let’s Encrypt (“ISRG Root X1”) is the compatibility with older Android clients and SSL libraries.

  More technically, the difference is that the Short Chain contains two certificates: Let’s Encrypt’s Root certificate and the one issued to your website, signed by the former; while the Long Chain three: the same of the Short Chain and an intermediate certificate. The ISRG Root X1 indeed, was issued quite recently and may not be known to some browsers, devices, or clients, therefore it was decided to add as intermediate certificate another root certificate that is well known to clients, to expand compatibility.

  See also

  More details and technicalities about the Short vs. Long Chain certificates can be found in article Long (default) and Short (alternate) Certificate Chains Explained.

• A custom certificate. In this case, you need to provide by yourself the three files of the authorisation chain (i.e., the Domain Certificate, the Certificate CA Chain, and the Private Key) in the first or copy the content of the individual files in the appropriate fields. Click VERIFY to verify the certificates: if everything is correct, notification The certificate is valid will appear. To use the certificate, click the I WANT TO USE THIS CERTIFICATE button to upload and use the certificate. Again, a notification will be shown (The certificates have been saved). To complete the procedure: if you are on a Single-Node, restart it otherwise you need to restart the node on which the Proxy is installed.

You can REMOVE or DOWNLOAD the certificates by clicking the appropriate button above the certificates themselves.

Procedure to install a Let’s Encrypt certificate

Let’s Encrypt Requirements

Before attempting to ask for a Let’s Encrypt certificate, make sure that:

1. Public Service Protocol and Public Service Host Name are correctly set in the Carbonio Admin Panel’s Domain ‣ General Settings

2. There is a Virtual Host correctly configured for the domain you want the certificate

3. A, AAAA, and CNAME records are configured in the domain’s DNS configuration

4. The domain has a valid FQDN that can be resolved from anywhere (i.e., the domain must be publicly accessible)

5. The Proxy Nodes are reachable from the Internet on port 80 (http). In case the proxy can not be directly reached, you must add some forwarding rules.

6. You run all command in this section as the zextras user

7. The zimbraReverseProxyMailMode attribute has been set to redirect at global level. You can verify if this is the case with command

   zextras$ carbonio prov gacf zimbraReverseProxyMailMode
   

   If the output is not redirect, you can set it with

   zextras$ carbonio prov mcf zimbraReverseProxyMailMode redirect
   

8. you have unset the same attribute on the Proxy Nodes

   zextras$ carbonio prov ms $(zmhostname) zimbraReverseProxyMailMode ""
   

9. (Optional) To receive e-mail responses from Let’s Encrypt, Carbonio attributes carbonioNotificationRecipients and carbonioNotificationFrom are defined at global level.

Hint

If you have more than one Proxy Node, execute the commands on each Proxy Node.

Once done, execute the following commands to pick up the changes on the Proxy Node

zextras$ /opt/zextras/libexec/zmproxyconfgen
zextras$ zmproxyctl restart

To correctly issue a Let’s Encrypt certificate for your Carbonio CE installation, you should carry out the following steps.

The starting point is to generate the certificate using the Carbonio Admin Panel button, as shown in the previous section. besides the message on the bottom right corner, you will receive in a few minutes an e-mail, provided you set Carbonio attributes, see list above, stating the success or failure of the certificate’s generation.

Hint

You can follow the process by checking the log file /var/log/carbonio/letsencrypt/letsencrypt.log on the Proxy Node, using the tail -f command from the CLI.

In case of failure, the e-mail will report the errors encountered that you need to fix before attempting again. Take into account that if you continuously ask for a certificate without success, you can be temporarily be prevented to ask again.

The message Successfully received certificate appears in the e-mail when the issue is successful, together with other information, including the expiry date, followed by a second confirmatory e-mail.

At this point you can deploy the certificate on your infrastructure. Log in to the CLI and issue, as the zextras user, the commands

zextras$ /opt/zextras/libexec/zmproxyconfgen
zextras$ /opt/zextras/bin/zmproxyctl reload

The certificate expires after 90 days, and, according to Let’s Encrypt recommendations should to be renewed 30 days before expiration. You can do so manually running, as the zextras user the certbot renew command from the CLI or, if you are confident, routinely from the crontab.

Once done, run again the two deployment commands

zextras$ /opt/zextras/libexec/zmproxyconfgen
zextras$ /opt/zextras/bin/zmproxyctl reload

Mailbox Quota

These settings allow to define a maximum limit (in bytes, with 0 meaning no limit) for the space used by each account and by the entire domain. It is also possible to set a value that, when reached, will send a warning by e-mail to a given address. The values configured here are inherited by all accounts that will be created, but can be overridden on a per-user basis.

To ease monitoring user’s quota, the bottom of the page contains a list of accounts and of their used quota.

Manage Domains

The Manage Domains page contains options to configure accounts, mailing, and generic resources.

Accounts

The list of all account in the domain is present here, along with information on their type and status.

The list can be filtered using the text field above the list, while a new account can be created using the + button.

A click on any account will open a new panel that contains a number of information and options, including the name and aliases, if present, its status (see below), and creation date. The aliases can be easily managed by clicking the MANAGE ALIAS button: in the opening dialog window, select a domain and a new alias, then click + to add the alias to the user.

On the panel’s top right corner, buttons allow to edit or delete the user, and also to redirect to the user’s mailbox.

When editing a user’s account, most of the option are the same that can be found in the Create New Account section and are organised in tabs. Options defined in the user’s COS are inherited, but can be modified for any individual user.

Note

The values that have been modified are accompanied by a circular arrow icon. If you hover on that icon, you will see the inherited value, while if you click on it you will restore the COS value.

General

This tab contains all the options provided during the account creation, plus other options, including:

• The ability to prevent the user from changing the password

• To remove the user’s password from LDAP

• The Mailing list memberships

• To move a user to another domain, which must be defined on the same server, by writing the new one in the Domain Name

Note

An Admin can not change the password of a user, only wipe it, so the user is forced to change it on the next login attempt.

Profile

Data in this tab represent the user’s phones, company, and address. They can be managed by both the user and the Administrators.

Configuration

The options listed here allows to specify forwarding addresses and to prevent e-mail messages to be saved locally, if these operations are allowed by the administrator. Values for these options can be set from the CLI: please refer to section Setting Features from CLI for more information.

User Preferences

The preferences in this tab concern how a user sees or interacts with the e-mails (receive, sending, composing, adding a signature) and are mostly inherited from the COS.

Note

Signatures can not be assigned to Resources.

Security

Options present here allow to manage the account security: OTP and policies for password and failed login. New application passwords and OTP tokens can be created to allow the user to login by using a QR Code; a policy can set to force the user to select a secure password and the type of characters to be chosen. The Failed login policy determines how the system behaves when a user fails too many consecutive logins.

In the Simplified View, select a user or group, then the permission and click the ADD THE ACCOUNT button to add it as a delegate. The delegated accounts will appear at the bottom of the tab.

In the Advanced View, a three steps procedure (SELECT MODE, SET RIGHTS, and ADD) guides you to complete the same task. The last step, similarly to the other guided procedures in the Carbonio Admin Panel, allows to review the settings before saving them.

Note

The user who delegates and the user who is the delegated can not share the same account; in other words, it is not possible to add as a delegated user the same account of the user who is delegating.

At the bottom of the panel, a list of the active sessions appears: for example, if a user has logged in from three different devices and never logged out, three sessions will appear. When selecting one of them, clicking the END SESSION button will close that session.

Create New Account

In order to create a new account, click the + button: a dialog window opens and allows you to set up the basic configuration of the new account.

Step 1: Create New Account John Smith

We create the first account for the CEO of ACME Corporation and provide the following data.

• Name, Middle Name Initials, and Surname will be used to define the user name. We use only Name (John) and Surname (Smith), which result in the JohnSmith username.

  Hint

  You can change the automatically generated username at will, for example to match company policies.

• Password is the one used by John for the first login only

• User will change password on the next login requires that John, after the first log in (and before accessing his mailbox) must change the password.

We also explicitly configure the Account Status (see the list of possible values), but do not change the Default COS. Click the CREATE WITH THESE DATA button to create the account

Note

When assigning a COS to a user, all the values defined in that COS will be inherited by the user. They can be later changed on a user basis later, when editing the account.

(Optional) Step 2: Send OTP to John Smith

Once the account has been created, you can optionally create an OTP code for John Smith, that he can use to quickly access his account.

Account statuses

A user account can be in one of the following statuses.

1. Active. The account is enabled and ready for everyday operations: the user can log in and send and receive e-mails.

2. Under Maintenance. This state occurs during maintenance operations on the domain or account: backup, import, export, restore. The user can not login, e-mails are queued on the MTA.

3. Locked. The account can not be accessed by the user, but incoming e-mails are still delivered. This status can be set for example if the user violates the terms of service or if the account has been cracked

4. Closed. The user is not allowed to log in, incoming e-mails are rejected.

5. Pending. This status is usually seen during the account creation, when it is not yet active. User can not log in, incoming e-mails are rejected.

6. LockOut. This is the only status that can not be set. It is applied automatically when the log in attempts fail for a given number of times. It is a preventive measure to avoid unauthorised access of brute force attacks. The account will not be accessible for a given interval (“lockout period”)

   Hint

   Both the number of failed attempts and the lockout period can be configured.

Create New Global Admin

To create a new Admin, you need first to create the account, as explained in the previous section. We give this account the acme_admin name.

Then, from the account list, select the new account, then click the pencil icon to edit it.

Fig. 4 Create a new Global Admin.

To make acme_admin a Global Admin, in the General tab go to Settings and click the switch with label This is a Global Administrator, then save. The acme_admin user is now able to access the Carbonio Admin Panel.

Mailing List

Mailing list can be simply created by clicking the + button to open a tabbed modal dialog in which to configure the mailing list.

In the first tab you can give a name, an address, and a description to the mailing list; in the second add Members by simply writing the e-mail addresses in the test field.

Hint

E-mail addresses are auto-completed while typing.

In the third tab, advanced settings can be configured, including the option to send notification to new members and the presence of the mailing list in the GAL.

The last tab recaps the settings: now you can either go back to any of the previous tabs and change some of the settings, or proceed to create the mailing list.

Once a mailing list has been created, it can be further configured by adding aliases, which work like e-mail accounts, changing the members, and granting selected users the permission to send e-mails to the mailing list.

Dynamic Mode

Mailing list’s Dynamic Mode allows the automatic management of members. Indeed, each Dynamic Mailing List is identified by a name and by a unique Mailing List URL, which is an LDAP query that automatically populates the members of the Mailing List.

To create a Dynamic Mailing List, the procedure is similar to the normal Mailing Lists: click the + button and provide a Displayed Name name and list Name, then click the Dynamyc Mode switch to access more options, including the Mailing List URL, which is mandatory. You can also make the list Hidden from GAL and add owners to the list, who can manage the configuration of the list.

Advanced options, like subscription and unsubscription options are available after the creation of the Dynamic Mailing List, when editing it.

Resources

A Resource is a generic object that can be assigned an e-mail address, but, unlike other regular accounts, they do not need any signature, so you can not specify one. A typical example of a Resource is a meeting room: to reserve the room, send an e-mail to the room’s e-mail address.

A policy can be assigned to Resource, to determine how to react to the booking request, either a manual or automatic acceptance or rejection.

Additional e-mail addresses can be added to the resource, for example to notify the company’s facility manager which meeting rooms are reserved and which are free.