This section contains guidelines to enforce security on a typical Carbonio CE installation.
Add a DKIM Record to Carbonio CE Installation#
This section provides directions to add a DKIM record to the DNS of the domain managed by a Carbonio CE installation.
Create a DKIM Record#
In order to create a new DKIM record, two steps are necessary. As usual, we are using example.com in our scenario as the domain name: replace it with the actual domain name.
Step 1: Generate DKIM record
Execute the following command to generate a new DKIM record for the domain.
# /opt/zextras/libexec/zmdkimkeyutil -a -d example.com
The output will be similar to the following:
DKIM Data added to LDAP for domain example.com with selector D43CB080-8FE0-11EC-88DF-9958FFC5EFF5
Public signature to enter into DNS:
D43CB080-8FE0-11EC-88DF-9958FFC5EFF5._domainkey IN TXT ( "v=DKIM1; k=rsa; ""p=MIIBIjANBgkqhkiG9w0BAQEFA
XZZEedCK1POmFoOKwgqraxJtqiPdM7i+mjUOy7w1uqJa4fyxjbVp0QIDAQAB" ) ; ----- DKIM key D43CB080-8FE0-11EC-88D
F-9958FFC5EFF5 for example.com
Step 2: Add DKIM record to DNS settings
Edit the DNS settings of the domain and create a new record as follows, using the output of the previous command.
Create a new record of type TXT with name D43CB080-8FE0-11EC-88DF-9958FFC5EFF5._domainkey
As value of the new record, copy and paste the string within the
)and make sure that the value does not contain any newline (that is, the value is written on one line):
v=DKIM1; k=rsa; ""p=MIIBIjANBgkqhkiG9w0BAQEFA AOCAQ8AMIIBCgKCAQEA6fn7z208Gj/UVAL29CeKxhyHrRnals/qs4kWxnWuPK+ogDQjZoD0aUIv6QkUX6Y/KSYUd9qHEy1I7pSNIlyS ecqeq/YsP5zXzoKD7WmLfE0PGIx0CEtsn4h4MJucm+LNVKziSPVzkVZ0rku15BaBO1bpFd7bvkXMffei3cc2zwrFmFSDVB5P84k1na+ 5p1o4NBq3SDn8fks9r6""CJ7dAZQ3LazNmAgenMldkWC7tv+/25CStiz3QQ4GqCn4tp0VW3hWOQm6tRSe1yHEG10XT2cSieFM1w0GzB XZZEedCK1POmFoOKwgqraxJtqiPdM7i+mjUOy7w1uqJa4fyxjbVp0QIDAQAB"
Depending on the DNS, it is possible that you need to remove the double quotes, the white spaces, or both!
Test and Verify#
There are several tests that can be carried out to verify that the DKIM has been added correctly to the domain DNS and works correctly to sign the outgoing e-mails.
TXT record test
To check that the TXT record has been added to the DNS, issue the following command from any Linux box.
# nslookup -type=txt D43CB080-8FE0-11EC-88DF-9958FFC5EFF5._domainkey.example.com
Make sure that you use the same name used when creating the TXT record.
If the DKIM record has been added correctly, the output contains the record, starting with v=DKIM1. Otherwise, if the DKIM record has not been set correctly, or if there was some issue in retrieving it, you will not see the string v=DKIM1 in the output.
DKIM service enabled
openDkim service must be running on the Carbonio CE
installation for the outgoing e-mails to be correctly signed. This
can be verified in the output of the command
# carbonio prov gs $(zmhostname)|grep -i service
must contain the line:
E-mail signature test
To verify that an outgoing e-mail has been correctly signed, the easiest way is to send an e-mail from the domain to a third-party address. The e-mail receiver can then look at the source code of the e-mail (The option is usually called View e-mail source code, Show original, Show e-mail headers or similar in any e-mail client).
In the source code, you should see a line similar to the following:
tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1 ... dkim=pass (2048-bit key) header.d=example.com
Make sure your actual domain name is present instead of
LDAP passwords used by Carbonio CE use by default the SHA-512 algorithm. While this algorithm is secure and there exist no know vulnerabilities, some institution may require some more secure algorithm.
Since version 23.4.0, Carbonio CE supports the storage of LDAP password using the Argon2 algorithm.
SHA-512 remains the default on Carbonio CE installation, but it is possible to allow the the new algorithm by means of a simple procedure in two steps.
Before starting the procedure, however, it is suggested to make a dump of the LDAP database, using the directions and commands that can be found in Upgrade’s section Preliminary Tasks.
The first step of the procedure is up to the administrator and
requires to run as the
zextras user the following script, which
takes care to enable the new Argon2 algorithm
Once the script has successfully completed, Argon2 will be used as default for new passwords. From now on, passwords of all new LDAP accounts will be stored using Argon2. Existing password, however, will still use SHA-512.
The second step, indeed, is up to the users: the password of each user will be stored using Argon2 only as soon as they change it.
The Administrator can force a user to change password from the Carbonio Admin Panel by enabling option This user must change password, that appears in tab General when editing a user under Accounts for details.. See section