Requirements

Carbonio CE can be installed in Single-Server or Multi-Server, with the various services and Roles spread across two or more Nodes.

Requirements are divided into groups: System Requirements for a Node, Software Requirements for a Node, RHEL Specific Requirements, and Additional Requirements (Manual Installation).

To make requirements easier to understand, we provide software requirements for a Node, which is either the only server used in a Single-Server or each server in a Multi-Server infrastructure.

System Requirements for a Node

Hardware requirements

CPU	Intel/AMD 64-bit 4 cores min./8+ cores vCPU
RAM	16 GB min., 32+ GB recommended
Disk space (operating system and Carbonio CE)	50 GB

These requirements are valid for each Node in a Carbonio CE Installation and may vary depending on the size of the infrastructure, which includes the services running on each node and the number and size of each mailbox. This means that if for example you plan to assign a 10GB quota to each of your 20 users, you must increase the Disk space requirements accordingly, i.e., to around 250GB total.

Supported Virtualization Platforms

VMware vSphere 6.x

VMware vSphere 7.x

XenServer

KVM

Virtualbox (testing purposes only)

Software Requirements for a Node

Carbonio CE is available for 64-bit CPUs only and can be installed on top of any of these vanilla distributions:

• Ubuntu 20.04 LTS Server Edition

• Ubuntu 22.04 LTS Server Edition

• RHEL 8 (see specific requirements)

Support for other distributions will be announced in due course when it becomes available.

Installation on Other Linux Distributions

While they are not officially supported, Linux distributions compatible with Ubuntu (e.g., Debian) and RHEL (e.g., AlmaLinux, Rocky Linux) may be used as base OS for Carbonio CE, provided all dependencies can be satisfied. This may include adding third-party repositories or manually installing software packages.

Moreover, even if Carbonio CE can be installed on an unsupported distribution, it may require some additional effort to have all Carbonio CE Components working, for example to manually edit some configuration file, while some Component may be not working at all. If you face some problems on unsupported distributions or if you successfully installed Carbonio CE on a unsupported distribution and want to share your result, you may want to join the Official Community Forum.

The following requirements must be satisfied before attempting to install Carbonio CE.

1. The whole Carbonio CE infrastructure must have at least one public IP address. You need to create a DNS A record that resolves to the public IP (e.g., A mail.example.com)

   Hint

   You can check a domain’s A record using the CLI utility host:

   # host -t A example.com
   

2. To allow the mail server to receive mail, it will be necessary to set up an MX record, which must correspond to the A record (e.g. MX: example.com = mail.example.com )

   Hint

   You can check a domain’s MX record using the CLI utility host:

   # host -t MX example.com
   

   If either of the A or MX records is not correctly configured, the installation will be temporarily suspended to allow the change of the hostname.

3. Each Node must be able to carry out DNS resolution autonomously and be able to resolve all other Nodes

4. For improved security of sending emails, you should also define TXT records for SPF, DKIM and DMARC

5. Python 3, latest version available on the chosen Operating System

6. Perl, latest version available on the chosen Operating System

7. IPv6 must be disabled. Make also sure that the /etc/hosts does not contain any IPv6 entries.

RHEL Specific Requirements

Note

If you plan to install Carbonio CE automatically on a Single-Server using the downloadable script (see Section Automatic Script-based Installation), these requirements are checked and automatically enabled if missing.

You need to satisfy these requirements for RHEL.

RHEL 8

Repositories

If you plan to install Carbonio CE on RHEL 8, you need an active subscription to the following repositories, i.e., you must be able to fetch packages from them

• BaseOS and the other main repositories:

  # subscription-manager repos --enable=rhel-8-for-x86_64-baseos-rpms
  

• Appstream:

  # subscription-manager repos --enable=rhel-8-for-x86_64-appstream-rpms
  

• CodeReady:

  # subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-rpms
  

SELinux

SELinux Must be set to disabled or permissive in file /etc/selinux/config. You can check the current profile using the command

# sestatus

Additional Requirements (Manual Installation)

• Acquaintance with the use of CLI is necessary. All carbonio commands must be executed as the zextras user (these commands will feature a zextras$ prompt), while all other commands must be issued as the root user, unless stated otherwise.

  Note

  The zextras user is created during the Carbonio CE installation process, it is not necessary to create it beforehand.

• Commands or groups of commands may be different between Ubuntu and RHEL 8. This is shown by blue tabs: click on the tab of your choice to find the correct command.

• When no such tabs are given, the commands to run are the same on Ubuntu and RHEL 8.

Firewall Ports

For Carbonio CE to operate properly, it is necessary to allow network communication on specific ports. On a Single-Server installation, only ports in the External Connections must be opened, because all the remaining traffic does not leave the server.

In Multi-Server installation, ports listed in the Internal Connections must be opened on all nodes, while those in the External Connections only on the node on which the corresponding Role is installed. For example, port 443 should be opened only on the node hosting the Proxy Role.

Furthermore, ports in Internal and External connections are grouped according to the Role that require them, so all ports listed in a table must be opened only on the Node on which the Role is installed.

TCP External Connections

MTA Role

Port	Protocol	Service
25	TCP	Postfix incoming mail
465	TCP	Message Submission over TLS protocol
587	TCP	Port for SMTP autenthicated relay, requires STARTTLS (or opportunistic SSL/TLS)

Warning

These ports should be exposed only if really needed, and preferably only accessible from a VPN tunnel, if possible, to reduce the attack surface.

Proxy Role

Port	Service
80	TCP	unsecured connection to the Carbonio web client
110	TCP	external POP3 services
143	TCP	external IMAP services
443	TCP	secure connection to the Carbonio web client
993	TCP	external IMAP secure access
995	TCP	external POP3 secure access
6071	TCP	secure access to the Admin Panel

Warning

The IMAP, POP3, and 6071 ports should be exposed only if really needed, and preferably only accessible from a VPN tunnel, if possible, to reduce the attack surface.

TCP Internal Connections

Every Node

Port	Service
22	TCP	SSH access
8301	TCP and UDP	management of Gossip protocol [2] in the LAN
9100	TCP	Carbonio Monitoring Node exporter
9256	TCP	Carbonio Monitoring Process exporter

[2]

The Gossip protocol is an encrypted communication protocol used by Carbonio Mesh for message broadcasting and membership management.

Postgres Role

Port	Protocol	Service
5432	TCP	Postgres access
9187	TCP	Postgres data export to Carbonio Monitoring

Directory Server Role

Port	Protocol	Service
389	TCP	unsecure LDAP connection
636	TCP	secure LDAP connection
9330	TCP	LDAP data export to Carbonio Monitoring

MTA Role

Port	Protocol	Service
25	TCP	Postfix incoming mail
465	TCP	Message Submission over TLS protocol
587	TCP	Port for SMTP autenthicated relay, requires STARTTLS (or opportunistic SSL/TLS)
7026	TCP	bind address of the Milter service

AppServer Role

Port	Protocol	Service
7025	TCP	local mail exchange using the LMTP protocol
7071	TCP	Port for SOAP services communication
7072	TCP	NGINX discovery and authentication
7073	TCP	SASL discovery and authentication
7110	TCP	internal POP3 services
7143	TCP	internal IMAP services
7993	TCP	internal IMAP secure access
7995	TCP	internal POP3 secure access
8080	TCP	internal HTTP services access
8443	TCP	internal HTTPS services
8735	TCP	Internal mailbox mailbox communication
8742	TCP	internal HTTP services, advanced module
8743	TCP	internal HTTPS services, advanced module

Carbonio VideoServer Role

Port	Protocol	Service
8188	TCP	Internal connection
8090	TCP	Servlet communication

Proxy Role

Port	Protocol	Service
9113	TCP	nginx data export to Carbonio Monitoring
11211	TCP	memcached access

Carbonio Mesh Role

Port	Protocol	Service
8300	TCP	management of incoming requests from other agents
8302	TCP and UDP	management of Gossip protocol [4] in the WAN
9107	TCP	Carbonio Mesh data export to Carbonio Monitoring
21000-21255	TCP	range for registrations ports for sidecar services (automatically assigned)

[4]

The Gossip protocol is an encrypted communication protocol used by Carbonio Mesh for message broadcasting and membership management.