Role-based Access Control#

Carbonio uses a delegation mechanism to allow the principal administrator to assign roles and permission to other users with the purpose of sharing with them the administration tasks and duties, electing them as either Global or Delegated Administrator, who have different privileges to configure and manage these features.

In the context of the management of Anti-Virus and Anti-Spam functionalities, each Administrator, either Global or Delegated, can access with the personal account and be able to control and manage them, according to permissions granted.

Server-side Management of E-mails#

Carbonio's MTA (Postfix) receives e-mail by means of the SMTP protocol and forwards it to the correct e-mail queue according to the user’s username (this coincides with the user’s e-mail address). In case of an e-mail whose recipient is a distribution list (i.e., a mailing list), the e-mail is forwarded to each of the members of the list.

Additional rules can be created directly on Postfix from the CLI. Examples of restriction rules can be found directly in Postfix documentation, for example in Postfix Standard Configuration Examples. More examples, depending on the use case, can be found in the official Postfix documentation.

Server-side Attachment Management#

Global e-mail attachment settings allow you to specify global rules for handling attachments of an e-mail message.

# carbonio prov mcf +zimbraMtaBlockedExtension "exe"

zextras$ carbonio prov ma alice@example.com zimbraFileUploadMaxSizePerFile 1048574

Management of a COS#

Each account on Carbonio is assigned a COS, a global object that is not restricted to a particular domain or set of domains.

The COS assigned to an account determines the default attributes for that account and the features to be enabled or not for it. The COS controls mailbox quotas, message lifetime, password restrictions, attachment blocking, and server pool usage.

You can create and edit the classes of services via CLI and soon also via the new Carbonio Admin Panel, in which the tasks of COS management will feature an helpful wizard that guides the Administrator through the creation process.

# carbonio prov createCos {name} [attribute value ...]

All the attributes that need to be customised can be either added at the end of the base command above as [ attribute value ] pairs, or at a later point with the following command:

# carbonio prov modifyCos {name} [attribute value ...]

S/MIME support#

S/MIME support for all users can be enabled using command

zextras$ carbonio config set global enableSmimeEncryption TRUE

Users will then be able to upload certificates to be used for S/MIME signing; setting it to false will prevent users from using the feature.

Additionally, the command below enables the ability of the user to verify the S/MIME signature.

zextras$ carbonio prov mcf carbonioSMIMESignatureVerificationEnabled TRUE

The access the S/MIME Certificate Store from within their Settings page, users need to supply a password, which is different from the S/MIME certificate’s password. You can set various parameters of this password from the CLI, by using the following command as the zextras user user.

zextras$ carbonio config set global \
encryptionPasswordPolicyAttribute <attribute> <value>

The list of all available attributes that can be customised can be retrieved using command

zextras$ carbonio config get global \
encryptionPasswordPolicyAttribute

The output of the above command is:

global
      values

              attribute                                                   encryptionPasswordPolicyAttribute
              inheritedValue
                  minLength                                                       8
                  maxLength                                                       100
                  minUpperCase                                                    1
                  minLowerCase                                                    1
                  minDigits                                                       1
                  minPunctuation                                                  0
                  minAlphaChars                                                   0
                  minPunctuationOrDigitChars                                      0
                  requireAlphanumeric                                             true
                  allowedChars
                  allowedPunctuation
                  denyList
              inheritedFrom                                               default
              isInherited                                                 true
              modules
                      ZxCore

The attribute is available only at global level, meaning this password policy is the same for all configured domains, CoS, and user on the system.

Pending-setups#

This section describes the functionalities provided by pending-setups in Carbonio and explains when it is necessary to run or re-run it for its proper functioning.

You have 6 pending setups to run
0) carbonio-catalog.sh
1) carbonio-tasks.sh
2) carbonio-user-management.sh
3) carbonio-tasks-db-setup.sh
4) carbonio-files.sh
5) carbonio-files-db-setup.sh

a) execute all
q) quit

Please input your selection:
>

There are no pending-setups to run. Exiting!

Carbonio and HTTP Proxy#

Many organisations operate within secured network environments where direct Internet access is restricted and blocked by firewall rules or corporate policies.

Using an HTTP proxy allows administrators to control and monitor outbound connections from the Carbonio server, ensuring that only approved services and destinations are accessible.

In a scenario like this, configuring an HTTP proxy is mandatory for Carbonio to function properly: this can be achieved using the zimbraHttpProxyURL attribute as follows.

First, login to the any Node installing the Proxy and check the current configuration of the attribute.

zextras$ carbonio prov getConfig zimbraHttpProxyURL

If there is no output, Carbonio tries to use a direct connection to the Internet, which in the scenario depicted above does not work, so we need to configure the attribute as follows.

zextras$ carbonio prov modifyConfig zimbraHttpProxyURL http://proxy.example.com:8080

zextras$ carbonio prov modifyConfig zimbraHttpProxyURL http://username:password@proxy.example.com:8080

Finally, restart the service.

zextras$ zmcontrol restart

zextras$ zmcontrol restart

zextras$ zmcontrol restart

# systemctl start/stop/restart carbonio-proxy.target

Freshclam and HTTP Proxy#

Similarly to the scenario described in Section Carbonio and HTTP Proxy, freshclam can not download the antivirus signatures if Carbonio is placed behind a proxy. The solution is to put the proxy information in the freshclam configuration template, which is /opt/zextras/conf/freshclam.conf.in.

Log in to the Node where the MTA AV/AS Role is installed and edit the file, by adding at the bottom the lines:

HTTPProxyServer  proxy.example.com
HTTPProxyPort    8080

As the zextras user, execute

zextras$ zmclamdctl restart

To verify that the new configuration is correct and the HTTP proxy is being used, check the log file

zextras$ tail -f /opt/zextras/log/freshclam.log

In the output you should find some lines similar to the following:

ClamAV update process started at Thu Mar 13 14:01:58 2025
Trying to retrieve CVD header from https://database.clamav.net/daily.cvd
OK
main database available for download (remote version: xx)
Testing database: '/opt/zextras/data/clamav/db/tmp.03d9f579e4/clamav-f220b006e75bbf945b40dd0f5b8a2f29.tmp-main.cvd' ...
Database test passed.
main.cvd updated (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Trying to retrieve CVD header from https://database.clamav.net/bytecode.cvd
OK

zextras$ cp /opt/zextras/conf/freshclam.conf.in /opt/zextras/conf/freshclam.conf.in.backup

zextras$ diff /opt/zextras/conf/freshclam.conf.in.backup /opt/zextras/conf/freshclam.conf.in

zextras$ cp /opt/zextras/conf/freshclam.conf.in.backup /opt/zextras/conf/freshclam.conf.in

Clean Activesync Status#

The PostgreSQL active_sync table in the activesync database contains the synchronisation status of mobile devices connected to Carbonio. Since there is no mechanism in place to cleans this table, it can grow significantly over time and occupy unnecessary space. The simplest solution is to add a line to the zextras user’s crontab.

To edit the crontab, execute, as the zextras user

zextras$ crontab -e

Scroll to the very end of the file (after the comment ZEXTRAS-END -- DO NOT EDIT ANYTHING BETWEEN THIS LINE AND ZEXTRAS-START) and add this line:

45 23 * * * /opt/zextras/bin/carbonio mobile doPurgeMobileState > /dev/null 2>&1

Save the file, then exit. This line will clear the state table every day at 23:45 (11:45PM) from all the connections. The command is completely transparent, as active connections will immediately be restored in the table, so users will not notice any service interruption.

However, in case of a lot of devices connecting, the table can become so large that the carbonio mobile doPurgeMobileState can timeout and do not clean the table, so a different approach is needed.

This approach requires you to access the Database Node and execute some SQL command directly on the database.

After you access the Database Node, become the postgresql user.

# su - postgres

Then access the PostgreSQL’s client

# psql

From here, select the activesync database

postgres=# \c activesync

hen use the following query to retrieve the number of mobile devices recorded in the table active_sync.

select concat(extract(YEAR from last_modification), '-', extract(MONTH from last_modification)), count(*) from active_sync.state group by concat(extract(YEAR from last_modification), '-', extract(MONTH from last_modification)) order by concat ASC;

You will have an output similar to:

 concat  | count
---------+-------
 2024-1  |    41
 2024-10 |    55
 2024-11 |   165
 2024-12 |    89
 2024-2  |    10
 2024-3  |     7
 2024-4  |   273
 2024-5  |    68
 2024-6  |   190
 2024-7  |    33
 2024-8  |    90
 2024-9  |  1529
 2025-1  |   989
 2025-2  |   606
 2025-3  |    90
(15 rows)

This output shows that the table holds the status of mobile devices back to more than year. Old entries can be safely removed from the table, because they can refer to devices no longer used or that never connected recently. For example, to remove all entries of year 24, execute the following query.

delete from active_sync.state where last_modification between '2024-01-01' and '2024-10-31';

You can now check the size of the table by running command

postgres=# \dt+ active_sync.*

If the size of the table is no longer as high as before, quit the PostgreSQL cliend

postgres=# \q

As the postgres user, you can analyse the table using the command

$ vacuumdb -t active_sync.state -Z -v activesync

If the output is similar to the following one, the table is clean:

vacuumdb: vacuuming database "activesync"
INFO:  analyzing "active_sync.state"
INFO:  "state": scanned 0 of 0 pages, containing 0 live rows and 0 dead rows; 0 rows in sample, 0 estimated total rows

Otherwise, if the number of dead rows is high, you can run the command, as the postgres user

$ vacuumdb -t active_sync.state -f -v activesync

This command removes dead tuples (rows) to reduce the space used and keep database performances at an optimal level.