Manage#

The Manage Domains page contains options to configure accounts, mailing, and generic resources.

Accounts#

The list of all account in the domain is present here, along with information on their type and status.

The list can be filtered using the text field above the list, while a new account can be created using the + button.

On the panel’s top right corner, buttons allow to edit or delete the user, and also to redirect to the user’s mailbox.

A click on any account will open a new panel that contains a number of information and options that can be modified. When editing a user’s account, most of the option are the same that can be found in the Create an Account section and are organised in tabs.

Options defined in the user’s COS are inherited, but can be modified for any individual user. The values that have been modified are accompanied by a circular arrow icon. If you hover on that icon, you will see the inherited value, while if you click on it you will restore the COS value.

Account Options

The configuration options available for each account are grouped in several categories. Click on each button to go to the respective category.

General

General configuration options of the account

Profile

Personal information about the user and its role

Configuration

Options about e-mail management and features available to users

User Preferences

Default values for preferences that can be overridden by the user

Security

Password policies, OTP, backup and other security-related options

Administration

Additional Domain Administration roles

Delegates

Delegation options

General

This tab contains all the options provided during the account creation, plus other options, including:

  • Whether this account is included in the Backup

  • The number of aliases of the account

  • The type of the account, which is one of

    • Normal: a Regular user

    • DelegatedAdmin: a Delegated (Domain) Administrator

    • Admin: a Global Administrator

    • System: special accounts used by Carbonio, i.e., GALsync, spam and ham training, and virus quarantine

    • External: an account that does not use Carbonio for authentication

    Upon clicking the arrow on the right-hand side of the option, the Administration tab will open, to allow changing the user’s Role.

  • The quota used and available for the e-mails and the Carbonio Files module. It is possible to insert up to three decimal digits for each quota.

  • To force the user to change password at the next login

    Note

    An Admin can not change the password of a user, only wipe it, so the user is forced to change it on the next login attempt.

  • To remove the user’s password from LDAP

  • The COS the user belongs to

  • The Distribution List memberships

  • To move a user to another domain, which must be defined on the same server, by writing the new one in the Domain Name

  • The ABQ status: Strict, Permissive, Interactive, or Disabled (see ABQ Modes for details)

  • How many OTP devices the user has.

At the bottom, it is possible to see all the user’s open sessions, which can be terminated by selecting one and clicking END SESSION button on the top right of the list.

Profile

Data in this tab represent the user’s phones, company, and address. They can be managed by both the user and the Administrators.

Configuration

The options listed here allows to specify forwarding addresses, to prevent e-mail messages to be saved locally, and to enable ActiveSync, if these operations are allowed by the administrator. Values for these options can be set from the CLI: please refer to section Setting Features from CLI for more information.

User Preferences

The preferences in this tab concern how a user sees or interacts with the e-mails (receive, sending, composing, adding a signature) and are mostly inherited from the COS.

Note

Signatures can not be assigned to Resources.

Security

Options present here allow to manage the account security.

New application passwords and OTP tokens can be created to allow the user to login by using a QR Code. The code can then be sent by e-mail to the user who requested it. If the recipient can not see the QR Code (for example because the provider does not support HTML e-mails or prevents inline images to be shown)), a text equivalent version of the QR Code will be shown (the Secret Code), allowing the user to use it.

It is also possible to completely disable OTP for a user by using the One Time Password Management switch. In this case, the user can neither access their account from trusted networks (see 2-Factor-Autenthication), nor they have the ability to create OTP codes in the Auth section of their Settings module.

Note

If a user has already created OTPs and at a later point the Admin has disabled OTP for that user, the user can still use the existing OTPs. To prevent this behaviour (and forbid the user to use the old OTPs), the user’s OTP codes must be removed from the Carbonio Admin Panel.

Backup

A switch allows to toggle the user’s ability to recover e-mail that have already been deleted from the Trash Bin, but are still present in the Backup

Password

A policy can set to force the user to select a secure password and the type of characters required for the password.

The Forgotten password feature, if enabled, allows a user to receive a token, to temporarily access the webmail, to the recovery address specified in the textfield next to the option. It also provides the user a new option in the Settings ‣ Auth, namely the ability to change the recovery address.

See also

The Password recovery procedure is described in section Lost Password.

The Failed login policy determines how the system behaves when a user fails too many consecutive logins.

Administration

You can choose if the user can play one or more Administration Roles in Carbonio.

By toggling the Global Administration switch you can promote or demote the user to Global Administrator or vice versa. In this case, the Delegated Administration switch will disappear, because the Global Administrator already has all the Rights.

If you toggle the Delegated Administration switch. you can then select one domain and assign to the user one of the available Roles from the drop downs. Multiple Roles can be assigned, even on the same domain: for example, a user can be a HelpDesk Administrator and a Group Administrator.

Delegates

In this tab it is possible to define which other accounts or groups have access to the account and which permissions (“Rights”) are granted. The first setting allow to define whether to save or not a copy of the sent messages and where: only in delegated account’s folder or also in the delegate’s folder.

To add delegation Rights to an account, please refer to the dedicated section, Create a Shared Account.

Account statuses#

A user account can be in one of the following statuses.

  1. Active. The account is enabled and ready for everyday operations: the user can log in and send and receive e-mails.

  2. Under Maintenance. This state occurs during maintenance operations on the domain or account: backup, import, export, restore. The user can not login, e-mails are queued on the MTA.

  3. Locked. The account can not be accessed by the user, but incoming e-mails are still delivered. This status can be set for example if the user violates the terms of service or if the account has been cracked

  4. Closed. The user is not allowed to log in, incoming e-mails are rejected.

  5. Pending. This status is usually seen during the account creation, when it is not yet active. User can not log in, incoming e-mails are rejected.

  6. LockOut. This is the only status that can not be set. It is applied automatically when the log in attempts fail for a given number of times. It is a preventive measure to avoid unauthorised access of brute force attacks. The account will not be accessible for a given interval (“lockout period”)

    Hint

    Both the number of failed attempts and the lockout period can be configured.

Account Aliases#

An alias is a new e-mail address that can be associated with an existent account. It works exactly like any other account except that you can not login with it. All e-mails sent to the alias will land in the Account’s mailbox.

The aliases can be easily managed from the General tab of the user’s option. Click the pencil icon right below the account’s username: in the opening dialog window, provide a new alias and the domain then click + to add the alias to the user. Existent aliases can be modified or deleted using the small icons next to the e-mail in the Your Available Aliases field.

Delegated Domain Admins#

This page shows all the accounts with some administration rights on the domain. To enable delegations on the domain, click the INIT DOMAIN button. If the domain was already initialised and you changed Roles to any Administrator, or created a new Administrator, you need to click on the button once more to allow the permission to be effective. In that case the button will be labelled RE-INIT DOMAIN.

Distribution List#

Distribution lists can be simply created by clicking the + button to open a tabbed modal dialog in which to configure it.

In the first tab you can give a name, an address, and a description to the distribution list; if you want a dynamic mode, that automatically populates the list’s members, refer to section Dynamic Mode.

In the second add Members by simply writing the e-mail addresses in the test field.

Hint

E-mail addresses are auto-completed while typing.

In the third tab, advanced settings can be configured, including the option to notify new members that they have been added to the list and the presence of the distribution list in the GAL. Owners can be added to the list: they will see the lists of which they are owners in a dedicated menu item, where they can edit some details and the members.

The last tab recaps the settings: now you can either go back to any of the previous tabs and change some of the settings, or proceed to create the distribution list.

Once a distribution list has been created, it can be further configured by adding aliases, which work like e-mail accounts, changing the description, notes, and members, and granting selected users the permission to send e-mails to the distribution list or making them Owners.

Whenever new members are added to a Distribution List, it is necessary to refresh (or restart) the milter service. From the CLI, as the zextras user, execute this command

zextras$ zmmilterctl refresh

Dynamic Mode#

Distribution list’s Dynamic Mode allows the automatic management of members. Indeed, each Dynamic Distribution List is identified by a name and by a unique Distribution List URL, which is an LDAP query that automatically populates the members of the Distribution List.

To create a Dynamic Distribution List, the procedure is similar to the normal Distribution Lists: click the + button and provide a Displayed Name name and list Name, then click the Dynamyc Mode switch to access more options, including the Distribution List URL, which is mandatory.

Hint

The Distribution List URL already includes the ldap:/// prefix, so you do not need to add it.

You can also make the list Hidden from GAL and add owners to the list, who can manage the configuration of the list.

Advanced options, like subscription and unsubscription options are available after the creation of the Dynamic Distribution List, when editing it.

Security Groups#

This page show the pre-built Security Groups, which are special lists whose members are regular users promoted to an Administration Role. Belonging to any of these Groups allow a regular user to gain some rights and manage specific parts of the Carbonio infrastructure.

See also

To learn more about the rights of the different types of Administrators, please refer to Section Administrative Roles Explained.

Resources#

A Resource is a generic object that can be assigned an e-mail address, but, unlike other regular accounts, they do not need any signature, so you can not specify one.

A Resource can be either of type Meeting Room or Equipment: to reserve either of them, send an e-mail to the assigned e-mail address.

A policy can be assigned to Resource, to determine how to react to the booking request, either a manual or automatic acceptance or rejection.

Additional e-mail addresses can be added to the resource, for example to notify the company’s facility manager which meeting rooms are reserved and which are free.

ActiveSync#

This page gives information about all accounts connected using the ActiveSync protocol. For each connected device, some information is shown, including its unique Device ID and the time when it last connected. Clicking any of the connections will show additional information, including client data and the device’s ABQ status (see ABQ - Allow/Block/Quarantine device control)

The following actions can be carried out: WIPE DEVICE (bring the connected device back to factory settings), to RESET DEVICE (log out the device from the account), and SUSPEND the connection.

Restore Account#

The Restore Account procedure allows you to restore the contents and preferences of a mailbox in the exact status when it was deleted.

When a Restore Account starts, a new account is created (the Destination Account), and all the items existing in the source account at the moment of the deletion are recreated in the destination account, including the folder structure and all the user’s data. All restored items will be created in the current primary store unless the Apply HSM Policy after the restore box is checked.

Warning

When restoring data on a new account, shared items consistency is not preserved. This is because the original share rules refer to the original account’s UUID, not to the Destination Account, which has a completely different UUID.

To start the procedure, type an e-mail address in the text-field or select an account from the list.

Then, click on the CONFIG tab and select the options to apply for the Restore:

  • To which date and time to restore the account

  • On which domain the account should be restored

  • Whether to use the last available status of the account

  • If External Data Sources should be restored

  • Select an e-mail to which send a notification of the successful restore.

    Hint

    This could be the alternate e-mail of the user whose account is being restored.