Requirements#
Carbonio CE can be installed in Single-Server or Multi-Server, with the various services and Roles spread across two or more Nodes.
Requirements are divided into groups: System Requirements for a Node, Software Requirements for a Node, RHEL Specific Requirements, and Additional Requirements.
To make requirements easier to understand, we provide software requirements for a Node, which is either the only server used in a Single-Server or each server in a Multi-Server infrastructure.
System Requirements for a Node#
CPU |
Intel/AMD 64-bit 4 cores min./8+ cores vCPU |
RAM |
16 GB min., 32+ GB recommended |
Disk space (operating system and Carbonio CE) |
50 GB |
These requirements are valid for each Node in a Carbonio CE Installation and may vary depending on the size of the infrastructure, which includes the services running on each node and the number and size of each mailbox. This means that if for example you plan to assign a 10GB quota to each of your 20 users, you must increase the Disk space requirements accordingly, i.e., to around 250GB total.
VMware vSphere 6.x |
VMware vSphere 7.x |
XenServer |
KVM |
Virtualbox (testing purposes only) |
Software Requirements for a Node#
Carbonio CE is available for 64-bit CPUs only and can be installed on top of any of these vanilla distributions:
Ubuntu 20.04 LTS Server Edition
Ubuntu 22.04 LTS Server Edition
RHEL 8 (see specific requirements)
RHEL 9 (see specific requirements) BETA
Support for other distributions will be announced in due course when it becomes available.
While they are not officially supported, Linux distributions compatible with Ubuntu (e.g., Debian) and RHEL (e.g., AlmaLinux, Rocky Linux) may be used as base OS for Carbonio CE, provided all dependencies can be satisfied. This may include adding third-party repositories or manually installing software packages.
Moreover, even if Carbonio CE can be installed on an unsupported distribution, it may require some additional effort to have all Carbonio CE Components working, for example to manually edit some configuration file, while some Component may be not working at all. If you face some problems on unsupported distributions or if you successfully installed Carbonio CE on a unsupported distribution and want to share your result, you may want to join the Official Community Forum.
The following requirements must be satisfied before attempting to install Carbonio CE.
-
The whole Carbonio CE infrastructure must have at least one public IP address. You need to create a DNS A record that resolves to the public IP (e.g.,
A mail.example.com
)Hint
You can check a domain’s A record using the CLI utility
host
:# host -t A example.com
-
To allow the mail server to receive mail, it will be necessary to set up an MX record, which must correspond to the A record (e.g. MX: example.com = mail.example.com )
Hint
You can check a domain’s MX record using the CLI utility
host
:# host -t MX example.com
If either of the
A
orMX
records is not correctly configured, the installation will be temporarily suspended to allow the change of the hostname. Each Node must be able to carry out DNS resolution autonomously and be able to resolve all other Nodes
For improved security of sending emails, you should also define TXT records for SPF, DKIM and DMARC
Python 3, latest version available on the chosen Operating System
Perl, latest version available on the chosen Operating System
IPv6 must be disabled. Make also sure that the
/etc/hosts
does not contain any IPv6 entries.
RHEL Specific Requirements#
Note
If you plan to install Carbonio CE automatically on a Single-Server using the downloadable script (see Section Automatic Script-based Installation), these requirements are checked and automatically enabled if missing.
You need to satisfy these requirements, depending on the RHEL version you want to install:
RHEL 8#
If you plan to install Carbonio CE on RHEL 8, you need an active subscription to the following repositories, i.e., you must be able to fetch packages from them
-
BaseOS and the other main repositories:
# subscription-manager repos --enable=rhel-8-for-x86_64-baseos-rpms
-
Appstream:
# subscription-manager repos --enable=rhel-8-for-x86_64-appstream-rpms
-
CodeReady:
# subscription-manager repos --enable=codeready-builder-for-rhel-8-x86_64-rpms
-
EPEL:
# dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
SELinux Must be set to disabled or permissive in file
/etc/selinux/config
. You can check the current profile
using the command
# sestatus
RHEL 9 BETA#
If you plan to install Carbonio CE on RHEL 9, you need an active subscription to the following repositories, i.e., you must be able to fetch packages from them
-
BaseOS and the other main repositories:
# subscription-manager repos --enable=rhel-9-for-x86_64-baseos-rpms
-
Appstream:
# subscription-manager repos --enable=rhel-9-for-x86_64-appstream-rpms
-
CodeReady:
# subscription-manager repos --enable=codeready-builder-for-rhel-9-x86_64-rpms
-
EPEL:
# dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
SELinux Must be set to disabled or permissive in file
/etc/selinux/config
. You can check the current profile
using the command
# sestatus
systemd
units to replace zmcontrol
By installing Carbonio CE on RHEL 9 you will no longer be able to manage Carbonio services with the legacy zmcontrol start <service>, zmcontrol restart <service>, and zmcontrol stop <service> commands. Interaction with services should be done exclusively through systemd commands.
Note
The zmcontrol -v command, used to retrieve Carbonio CE’s configuration, will continue working as usual.
To get the list of all Carbonio services, use command
# systemctl list-unit-files
Example
You can check the status of the Carbonio Tasks service with:
# systemctl status carbonio-tasks.service
To manage its start, stop, and restart, replace status
in the
above command with: start
, stop
, and restart
respectively.
It will also not possible to use zmcontrol start | stop |
restart as a convenience to restart all Carbonio services at
once. This command will be replaced by Role-specific systemd
commands, to be executed on the Node on which they are installed.
# systemctl start/stop/restart carbonio-directory-server.target
# systemctl start/stop/restart carbonio-appserver.target
# systemctl start/stop/restart carbonio-mta.target
# systemctl start/stop/restart carbonio-proxy.target
Additional Requirements#
When you do not use the script-based installation, i.e., Single-Server manual installation or Multi-Server installation.
-
All
carbonio
commands must be executed as thezextras
user (these commands will feature azextras$
prompt), while all other commands must be issued as theroot
user, unless stated otherwise.Note
The
zextras
user is created during the Carbonio CE installation process, it is not necessary to create it beforehand. Commands or groups of commands may be different between Ubuntu and RHEL 8. This is shown by blue tabs: click on the tab of your choice to find the correct command.
When no such tabs are given, the commands to run are the same on Ubuntu and RHEL 8.
Firewall Ports#
For Carbonio CE to operate properly, it is necessary to allow network communication on specific ports. On a Single-Server installation, only ports in the External Connections must be opened, because all the remaining traffic does not leave the server.
In Multi-Server installation, ports listed in the Internal Connections must be opened on all nodes, while those in the External Connections only on the node on which the corresponding Role is installed. For example, port 443 should be opened only on the node hosting the Proxy Role.
Furthermore, ports in Internal and External connections are grouped according to the Role that require them, so all ports listed in a table must be opened only on the Node on which the Role is installed.
Carbonio requires no specific ports to communicate with the Internet (outgoing traffic), unless you want push notifications to be sent to mobile devices. In this case, the Node installing the Mailstore & Provisioning Role must be able to communicate with the URL https://notifications.zextras.com/firebase/ on port 443.
TCP External Connections#
Port |
Protocol |
Service |
---|---|---|
25 |
TCP |
Postfix incoming mail |
465 |
TCP |
Message Submission over TLS protocol |
587 |
TCP |
Port for SMTP autenthicated relay, requires STARTTLS (or opportunistic SSL/TLS) |
Warning
These ports should be exposed only if really needed, and preferably only accessible from a VPN tunnel, if possible, to reduce the attack surface.
Port |
Service |
|
---|---|---|
80 |
TCP |
unsecured connection to the Carbonio web client |
110 |
TCP |
external POP3 services |
143 |
TCP |
external IMAP services |
443 |
TCP |
secure connection to the Carbonio web client |
993 |
TCP |
external IMAP secure access |
995 |
TCP |
external POP3 secure access |
6071 |
TCP |
secure access to the Admin Panel |
Warning
The IMAP, POP3, and 6071 ports should be exposed only if really needed, and preferably only accessible from a VPN tunnel, if possible, to reduce the attack surface.
TCP Internal Connections#
Port |
Service |
|
---|---|---|
22 |
TCP |
SSH access |
8301 |
TCP and UDP |
management of Gossip protocol [2] in the LAN |
9100 |
TCP |
Carbonio Monitoring Node exporter |
9256 |
TCP |
Carbonio Monitoring Process exporter |
Port |
Protocol |
Service |
---|---|---|
5432 |
TCP |
Postgres access |
9187 |
TCP |
Postgres data export to Carbonio Monitoring |
Port |
Protocol |
Service |
---|---|---|
389 |
TCP |
unsecure LDAP connection |
636 |
TCP |
secure LDAP connection |
9330 |
TCP |
LDAP data export to Carbonio Monitoring |
Port |
Protocol |
Service |
---|---|---|
25 |
TCP |
Postfix incoming mail |
465 |
TCP |
Message Submission over TLS protocol |
587 |
TCP |
Port for SMTP autenthicated relay, requires STARTTLS (or opportunistic SSL/TLS) |
7026 |
TCP |
bind address of the Milter service |
Port |
Protocol |
Service |
---|---|---|
7025 |
TCP |
local mail exchange using the LMTP protocol |
7071 |
TCP |
Port for SOAP services communication |
7072 |
TCP |
NGINX discovery and authentication |
7073 |
TCP |
SASL discovery and authentication |
7110 |
TCP |
internal POP3 services |
7143 |
TCP |
internal IMAP services |
7993 |
TCP |
internal IMAP secure access |
7995 |
TCP |
internal POP3 secure access |
8080 |
TCP |
internal HTTP services access |
8443 |
TCP |
internal HTTPS services |
8735 |
TCP |
Internal mailbox mailbox communication |
8742 |
TCP |
internal HTTP services, advanced module |
8743 |
TCP |
internal HTTPS services, advanced module |
Port |
Protocol |
Service |
---|---|---|
8188 |
TCP |
Internal connection |
8090 |
TCP |
Servlet communication |
Port |
Protocol |
Service |
---|---|---|
9113 |
TCP |
nginx data export to Carbonio Monitoring |
11211 |
TCP |
memcached access |
Port |
Protocol |
Service |
---|---|---|
8300 |
TCP |
management of incoming requests from other agents |
8302 |
TCP and UDP |
management of Gossip protocol [4] in the WAN |
9107 |
TCP |
Carbonio Mesh data export to Carbonio Monitoring |
21000-21255 |
TCP |
range for registrations ports for sidecar services (automatically assigned) |
The Gossip protocol is an encrypted communication protocol used by Carbonio Mesh for message broadcasting and membership management.