Preliminaries#
In this section, we list some naming conventions we use in the documentation and present some tasks you need to carry out on each of the Nodes before starting with the actual installation.
Hint
We invite you to subscribe to our newsletter to gain early access to dedicated content for Carbonio CE admins, including:
Release notes and upcoming updates
The latest news and announcements
Expert technical guides for Carbonio CE
Please fill in the form at https://zextras.com/carbonio-community-edition#discoverproduct
Naming conventions#
When deciding the names of the Nodes, we suggest to match the Node name and the Component installed on it (or the main Component in case a Node features multiple Components), for example:
proxy1.example.com is the (first) Proxy Node
mta1.example.com is the (first) MTA Node
similarly for other Nodes
By naming Nodes in this way, in case you have you have multiple nodes featuring the same Component, or you want to expand your infrastructure, you only need to increase the sequence number:
proxy2.example.com becomes the second Proxy Node
mta2.example.com becomes the second MTA Node
similarly for other Nodes
Additionally, throughout this documentation, we will use Proxy Node(s) to denote the Node(s) on which the Proxy Component is (are) installed; MTA Node the Node featuring the MTA, and so on.
Configure repositories#
In order to configure Carbonio CE’s repository, you need to some files with the necessary information.
It you install Carbonio CE on Ubuntu, you also need to import the GPG key used for signing the packages and verify them.
You need to create file /etc/apt/sources.list.d/zextras.list
and add the following content to it:
deb [arch=amd64 signed-by=/usr/share/keyrings/zextras.gpg] https://repo.zextras.io/release/ubuntu jammy main
Hint
Make sure the above content is correctly saved on the same line
You need to create file /etc/apt/sources.list.d/zextras.list
and add the following content to it:
deb [arch=amd64 signed-by=/usr/share/keyrings/zextras.gpg] https://repo.zextras.io/release/ubuntu noble main
Hint
Make sure the above content is correctly saved on the same line
You need to create file /etc/yum.repos.d/zextras.repo
and add the following content to it:
[zextras]
name=zextras
baseurl=https://repo.zextras.io/release/rhel8
enabled=1
repo_gpgcheck=1
gpgcheck=0
gpgkey=https://repo.zextras.io/repomd.xml.key
You need to create file /etc/yum.repos.d/zextras.repo
and add the following content to it:
[zextras]
name=zextras
baseurl=https://repo.zextras.io/release/rhel9
enabled=1
repo_gpgcheck=1
gpgcheck=0
gpgkey=https://repo.zextras.io/repomd.xml.key
This step is required only on Ubuntu systems (Ubuntu 22.04 and Ubuntu 24.04).
Download and save the GPG key
# wget -O- "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x5dc7680bc4378c471a7fa80f52fd40243e584a21" | gpg --dearmor | sudo tee /usr/share/keyrings/zextras.gpg > /dev/null
Assign correct access permissions to the key
# chmod 644 /usr/share/keyrings/zextras.gpg
Download and save the GPG key
# wget -O- "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x5dc7680bc4378c471a7fa80f52fd40243e584a21" | gpg --dearmor | sudo tee /usr/share/keyrings/zextras.gpg > /dev/null
Assign correct access permissions to the key
# chmod 644 /usr/share/keyrings/zextras.gpg
This step is not needed.
This step is not needed.
This step is not needed.
This step is not needed.
You need to add the EPEL repository and enable the BaseOS, Appstream, and CodeReady repositories.
# dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
# subscription-manager repos --enable=rhel-8-for-x86_64-baseos-rpms
# subscription-manager repos --enable=rhel-8-for-x86_64-appstream-rpms
# subscription-manager repos --enable=codeready-builder-for-rhel-8-x86_64-rpms
You need to add the EPEL repository and enable the BaseOS, Appstream, and CodeReady repositories.
# dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
# subscription-manager repos --enable=rhel-9-for-x86_64-baseos-rpms
# subscription-manager repos --enable=rhel-9-for-x86_64-appstream-rpms
# subscription-manager repos --enable=codeready-builder-for-rhel-9-x86_64-rpms
The following are important information concerning the packages repository Carbonio CE and its content. Please read them carefully, as they might save you some time in case of installation or upgrade problems and help you to provide more precise bug reports.
The repository hosts simultaneously packages of two channels:
-
Release Candidate (RC). Packages in this channel are made available as soon as they are built by Zextras development and tested by the QA team. While they are stable, they are not suitable for a use in a production environment, because they might still contain some bugs, new functionalities that have not yet reached a production-level quality, or some broken dependencies might be introduced.
Usually these problems are fixed within days or even hours, so in case just try again before you report some problem.
Use this channel and its packages for testing (or demo) installations only.
RELEASE. This channel contains only packages that are stable and suitable for a production environment.
Hint
When reporting a problem or opening a ticket, remember to always add the channel you are using, as this helps us to analyse the problem quickly.
FAQ
-
I want to help testing things, which channel should I use?
RC channel.
-
I need to install Carbonio in a production environment which channel should I use?
RELEASE channel.
-
How will I be informed about new RC packages?
There will be no notification, because RC channel is updated continuously.
-
How will I be informed about a potential new release incoming?
A red message on the homepage of the documentation site will notify you of the release of a new stable version. You may also be informed through other means of communication such as email and social media.
-
Could there be bugs in the packages downloaded from the RC channel?
Yes, RC versions have a risk of containing bugs (which in some cases could lead to data loss). If you find a bug in an RC package we kindly ask you to report it on the appropriate community page. We will try to resolve it as quickly as possible.
Setting Hostname#
Carbonio CE needs a valid FQDN as hostname and a valid entry in the
/etc/hosts file. Therefore, it is necessary to take care of
properly configuring the /etc/hosts file, otherwise the services
will not be able to bind to the correct address, leading to a
disruption in Carbonio CE's functionality.
To configure the file and the hostname, execute these two commands.
Note
Replace the values srv1.example.com and 172.16.0.10
with values suitable for your setup.
First, set the hostname
# hostnamectl set-hostname srv1.example.com
then replace the content of the /etc/hosts file with IP and
hostname.
# echo -e "127.0.0.1 localhost\n172.16.0.10 srv1.example.com srv1" > /etc/hosts
You can also simply get the current IP and hostname and save it in the
file /etc/hosts/:
# echo "$(hostname -I) $(hostname -f)"
DNS Settings#
This section collects all DNS-related settings, which are crucial in the setup of Carbonio CE, and examples to correctly verify them. To set them, you can use the DNS console of your domain administration panel.
The most important settings, which is mandatory for a Multi-Node setup, is that each Node must be able to carry out DNS resolution autonomously and be able to resolve all other Nodes’ IP addresses.
In the remainder of this section, we assume that your Carbonio CE infrastructure has public IP 203.0.113.124 and FQDN mail.example.com.
The list of settings that are shown in this page includes: DNS A record, DNS MX record, DNS PTR record, and a few TXT records, namely SPF, DMARC, and DKIM; the latter has a dedicated subsection, including commands to verify its correct setup.
Note
While the A, MX and PTR records must be
configured for the proper functioning of Carbonio CE of, TXT records
are not required, but it is recommended to configure them, because
they are used by most providers to block spam and unsolicited
e-mails.
A recordThe whole Carbonio CE infrastructure must have at least one public
IP address. The IP address must have a domain name associated,
that coincides with the A record in the DNS (e.g., A
mail.example.com)
You can check a domain’s A record using the CLI utility host:
# host -t A mail.example.com
MX RecordTo allow the mail server to receive mail, it will be necessary to set up an MX record, which must correspond to the A record (e.g. MX: example.com = mail.example.com )
You can check a domain’s MX record using the CLI utility host:
# host -t MX example.com
If either of the A or MX records is not correctly
configured, the installation will be temporarily suspended to allow
the change of the hostname.
PTR RecordTo allow remote mail server to verify the IP address of your Carbonio CE infrastructure, which is important for spam filtering, you should also configure the PTR record.
You can check a domain’s MX record using CLI utility dig:
# dig -x 203.0.113.124
Sender Policy Framework* is a TXT record used to prevent e-mail spoofing. It contains a string of allowed domain server that are allowed to send e-mails from the domain
You can check a domain’s MX record using CLI utility host:
# host -t TXT example.com
The output should be similar to:
example.com. IN TXT "v=spf1 ip4:203.0.113.124 include:_spf.yourprovider.com -all"
Domain-based Message Authentication, R*eporting, and **C*onformance is an additional TXT record that works in conjunction with SPF And DKIM to provide additional protection against e-mail spoofing and phishing.
You can check a domain’s MX record using CLI utility dig:
# dig TXT _dmarc.example.com
The output should be similar to:
_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com"
DKIM#
The Domain Keys Identified Mail (DKIM) is a method to verify that an e-mail was sent from a legitimate mail server. Each e-mail is marked with a digital signature that can be verified by the receiver.
Technically, a TXT record that identifies the SMTP server must be added to the domain’s DNS configuration.
See also
DKIM is an Internet Standard first defined in RFC 6376, later updated in RFC 8301 and RFC 8463.
Create a DKIM Record#
In order to create a new DKIM record, two steps are necessary. As usual, we are using example.com in our scenario as the domain name: replace it with the actual domain name.
Execute the following command to generate a new DKIM record for the domain.
$ /opt/zextras/libexec/zmdkimkeyutil -a -d example.com
The output will be similar to the following:
DKIM Data added to LDAP for domain example.com with selector D43CB080-8FE0-11EC-88DF-9958FFC5EFF5
Public signature to enter into DNS:
D43CB080-8FE0-11EC-88DF-9958FFC5EFF5._domainkey IN TXT ( "v=DKIM1; k=rsa; ""p=MIIBIjANBgkqhkiG9w0BAQEFA
AOCAQ8AMIIBCgKCAQEA6fn7z208Gj/UVAL29CeKxhyHrRnals/qs4kWxnWuPK+ogDQjZoD0aUIv6QkUX6Y/KSYUd9qHEy1I7pSNIlyS
ecqeq/YsP5zXzoKD7WmLfE0PGIx0CEtsn4h4MJucm+LNVKziSPVzkVZ0rku15BaBO1bpFd7bvkXMffei3cc2zwrFmFSDVB5P84k1na+
5p1o4NBq3SDn8fks9r6""CJ7dAZQ3LazNmAgenMldkWC7tv+/25CStiz3QQ4GqCn4tp0VW3hWOQm6tRSe1yHEG10XT2cSieFM1w0GzB
XZZEedCK1POmFoOKwgqraxJtqiPdM7i+mjUOy7w1uqJa4fyxjbVp0QIDAQAB" ) ; ----- DKIM key D43CB080-8FE0-11EC-88D
F-9958FFC5EFF5 for example.com
Edit the DNS settings of the domain and create a new record as follows, using the output of the previous command.
Create a new record of type TXT with name D43CB080-8FE0-11EC-88DF-9958FFC5EFF5._domainkey
-
As value of the new record, copy and paste the string within the
(braces)and make sure that the value does not contain any newline, that is, the value is written on one line. For the sake of readability, we intentionally break it on multiple lines:v=DKIM1; k=rsa; ""p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQ EA6fn7z208Gj/UVAL29CeKxhyHrRnals/qs4kWxnWuPK+ogDQjZoD0aUIv6QkU X6Y/KSYUd9qHEy1I7pSNIlySecqeq/YsP5zXzoKD7WmLfE0PGIx0CEtsn4h4MJ ucm+LNVKziSPVzkVZ0rku15BaBO1bpFd7bvkXMffei3cc2zwrFmFSDVB5P84k1 na+5p1o4NBq3SDn8fks9r6""CJ7dAZQ3LazNmAgenMldkWC7tv+/25CStiz3QQ 4GqCn4tp0VW3hWOQm6tRSe1yHEG10XT2cSieFM1w0GzBXZZEedCK1POmFoOKwg qraxJtqiPdM7i+mjUOy7w1uqJa4fyxjbVp0QIDAQAB"
Warning
Depending on the DNS administration panel, it is possible that you need to remove the double quotes, the white spaces, or both!
Test and Verify#
There are several tests that can be carried out to verify that the DKIM has been added correctly to the domain DNS and works correctly to sign the outgoing e-mails.
To check that the TXT record has been added to the DNS, issue the following command from any Linux box.
# nslookup -type=txt D43CB080-8FE0-11EC-88DF-9958FFC5EFF5._domainkey.example.com
Make sure that you use the same name used when creating the TXT record.
If the DKIM record has been added correctly, the output contains the record, starting with v=DKIM1. Otherwise, if the DKIM record has not been set correctly, or if there was some issue in retrieving it, you will not see the string v=DKIM1 in the output.
The openDkim service must be running on the Carbonio CE
installation for the outgoing e-mails to be correctly signed. This
can be verified in the output of the command
$ carbonio prov gs $(zmhostname)|grep -i service
must contain the line:
zimbraServiceEnabled: opendkim
To verify that an outgoing e-mail has been correctly signed, the easiest way is to send an e-mail from the domain to a third-party address. The e-mail receiver can then look at the source code of the e-mail (The option is usually called View e-mail source code, Show original, Show e-mail headers or similar in any e-mail client).
In the source code, you should see a line similar to the following:
tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1 ... dkim=pass (2048-bit key) header.d=example.com
Make sure your actual domain name is present instead of
example.com.