Manage

The Manage Domains page contains options to configure accounts, mailing, and generic resources.

Accounts

The list of all account in the domain is present here, along with information on their type and status.

The list can be filtered using the text field above the list, while a new account can be created using the + button.

A click on any account will open a new panel that contains a number of information and options, including the name and aliases, if present, its status (see below), and creation date. The aliases can be easily managed by clicking the MANAGE ALIAS button: in the opening dialog window, select a domain and a new alias, then click + to add the alias to the user.

On the panel’s top right corner, buttons allow to edit or delete the user, and also to redirect to the user’s mailbox.

When editing a user’s account, most of the option are the same that can be found in the Create New Account section and are organised in tabs. Options defined in the user’s COS are inherited, but can be modified for any individual user.

Note

The values that have been modified are accompanied by a circular arrow icon. If you hover on that icon, you will see the inherited value, while if you click on it you will restore the COS value.

General

This tab contains all the options provided during the account creation, plus other options, including:

• Whether this account is included in the Backup

• The number of aliases of the account

• The type of the account, which is one of

  • Normal: a Regular user

  • DelegatedAdmin: a Delegated (Domain) Administrator

  • Admin: a Global Administrator

  • System: special accounts used by Carbonio, i.e., GALsync, spam and ham training, and virus quarantine

  • External: an account that does not use Carbonio for authentication

  Upon clicking the arrow on the right-hand side of the option, the Administration tab will open, to allow changing the user’s Role.

• The quota used and available for the e-mails and the Carbonio Files module. It is possible to insert up to three decimal digits for each quota.

• To force the user to change password at the next login

  Note

  An Admin can not change the password of a user, only wipe it, so the user is forced to change it on the next login attempt.

• To remove the user’s password from LDAP

• The COS the user belongs to

• The Distribution List memberships

• To move a user to another domain, which must be defined on the same server, by writing the new one in the Domain Name

• The ABQ status: Strict, Permissive, Interactive, or Disabled (see ABQ Modes for details)

• How many OTP devices the user has.

At the bottom, it is possible to see all the user’s open sessions, which can be terminated by selecting one and clicking END SESSION button on the top right of the list.

Profile

Data in this tab represent the user’s phones, company, and address. They can be managed by both the user and the Administrators.

Configuration

The options listed here allows to specify forwarding addresses, to prevent e-mail messages to be saved locally, and to enable ActiveSync, if these operations are allowed by the administrator. Values for these options can be set from the CLI: please refer to section Setting Features from CLI for more information.

User Preferences

The preferences in this tab concern how a user sees or interacts with the e-mails (receive, sending, composing, adding a signature) and are mostly inherited from the COS.

Note

Signatures can not be assigned to Resources.

Security

Options present here allow to manage the account security.

New application passwords and OTP tokens can be created to allow the user to login by using a QR Code. The code can then be sent by e-mail to the user who requested it. If the recipient can not see the QR Code (for example because the provider does not support HTML e-mails or prevents inline images to be shown)), a text equivalent version of the QR Code will be shown (the Secret Code), allowing the user to use it.

In the Backup section, a switch allows to toggle the user ability to recover e-mail that have already been deleted from the Trash Bin.

A policy can set to force the user to select a secure password and the type of characters required for the password.

The Forgotten password feature, if enabled, allows a user to receive a token, to temporarily access the webmail, to the recovery address specified in the textfield next to the option. It also provides the user a new option in the Settings ‣ Auth, namely the ability to change the recovery address.

See also

The Password recovery procedure is described in section Lost Password.

The Failed login policy determines how the system behaves when a user fails too many consecutive logins.

Administration

You can choose if the user can play one or more Administration Roles in Carbonio.

By toggling the Global Administration switch you can promote or demote the user to Global Administrator or vice versa. In this case, the Delegated Administration switch will disappear, because the Global Administrator already has all the Rights.

If you toggle the Delegated Administration switch. you can then select one domain and assign to the user one of the available Roles from the drop downs. Multiple Roles can be assigned, even on the same domain: for example, a user can be a HelpDesk Administrator and a Group Administrator.

Delegates

In this tab it is possible to define which other accounts or groups have access to the account and which permissions (“Rights”) are granted. The first setting allow to define whether to save or not a copy of the sent messages and where: only in delegated account’s folder or also in the delegate’s folder.

To add delegation Rights to an account, please refer to the dedicated section, Create New Shared Account.

Account statuses

A user account can be in one of the following statuses.

1. Active. The account is enabled and ready for everyday operations: the user can log in and send and receive e-mails.

2. Under Maintenance. This state occurs during maintenance operations on the domain or account: backup, import, export, restore. The user can not login, e-mails are queued on the MTA.

3. Locked. The account can not be accessed by the user, but incoming e-mails are still delivered. This status can be set for example if the user violates the terms of service or if the account has been cracked

4. Closed. The user is not allowed to log in, incoming e-mails are rejected.

5. Pending. This status is usually seen during the account creation, when it is not yet active. User can not log in, incoming e-mails are rejected.

6. LockOut. This is the only status that can not be set. It is applied automatically when the log in attempts fail for a given number of times. It is a preventive measure to avoid unauthorised access of brute force attacks. The account will not be accessible for a given interval (“lockout period”)

   Hint

   Both the number of failed attempts and the lockout period can be configured.

Create New Account

In order to create a new account, click the + button: a dialog window opens and allows you to set up the basic configuration of the new account.

Step 1: Create New Account John Smith

We create the first account for the CEO of ACME Corporation and provide the following data.

• Name, Middle Name Initials, and Surname will be used to define the user name. We use only Name (John) and Surname (Smith), which result in the JohnSmith username.

  If the name or surname contain non-ASCII characters, an automatic mapping will be enforced: for example, ä, à will become a. When there is no mapping available, message Auto fill user is disabled will be displayed: in this case, the username must be filled manually. This is the case for example, for letters using diacritics, cedillas or German’s ß.

  Hint

  You can change the automatically generated username at will, for example to match company policies.

• Password is the one used by John for the first login only

• User will change password on the next login requires that John, after the first log in (and before accessing his mailbox) must change the password.

We also explicitly configure the Account Status (see the list of possible values), but do not change the Default COS. Click the CREATE WITH THESE DATA button to create the account

Note

When assigning a COS to a user, all the values defined in that COS will be inherited by the user. They can be later changed on a user basis later, when editing the account.

(Optional) Step 2: Send OTP or grant rights to John Smith

Once the account has been created, you can optionally create an OTP code for John Smith, that he can use to quickly access his account.

You can also give the account administrative rights, that you can customise. In this case, the account creation procedure continues and allow to grant Global Administration Rights (see Section Create New Global Admin) or Delegated rights (see Section Administrative Roles Explained.

Create New Shared Account

In order to create a new Shared Account, first create a new account, then select the account and click the EDIT button. In the DELEGATES tab you can configure who has access to the account and assigned rights in two ways: a Simplified and an Advanced View. There are small differences in the two views, the most relevant is how to set the permission.

Hint

Details on the rights that can be granted can be found in the box.

Simplified View

In the Simplified View, select a user or group, then the permission and click the ADD THE ACCOUNT button to add it as a delegate. The delegated accounts will appear at the bottom of the tab.

Advanced View

In the Advanced View, click ADD NEW +, then select an existing user or group (Distribution List). Proceed to the next tab (SET RIGHTS) and select the right to be assigned to the user or group from the drop-down menu.

Note

The user who delegates and the user who is the delegated can not share the same account; in other words, it is not possible to add as a delegated user the same account of the user who is delegating.

Available Delegate’s Rights

The Rights that can be granted to a user are basically to read, write, and send emails, and to access e-mails folders. Rights can be granted when editing an account, in the dedicated Delegates tab. Rights can be granted using a Simplified or an Advanced method.

The Simplified method permissions are granted using checkboxes:

• read, access with no permission to change

• read/write, full read and write permission

• send, the recipient will see as sender the selected user

• send on behalf, similar to the previous. the recipient will see the the sender’s e-mail preceded by the string On behalf of

In the Advanced method, rights are given in a slight different way and can be defined in a more granular way. In the SET RIGHTS step it is possible to grant the following rights: Send Mails only, Read Mails only, Send and Read Mails, Manage and Send, Read, and Manage Mails (all of the above). Depending on the choice, the bottom part will show additional options, according to the following table.

Option	Additional options
Send Mails only	Send, Send on Behalf of
Read Mails only	folders to share
Send and Read Mails	Send, Send on Behalf of; folders to share
Manage	Folders to share
Send, Read, and Manage Mails	Send, Send on Behalf of; folders to share

Create New Global Admin

To create a new Admin, create the account, as explained in the previous section, and on Step 2 enable option Add administration rights

We give this account the acme_admin name.

Then, from the account list, select the new account, then click the pencil icon to edit it.

Fig. 7 Create a new Global Admin.

To make acme_admin a Global Admin, in the Admnistration tab and click the switch with label Global administration, then save. The acme_admin user is now able to access the Carbonio Admin Panel.

Delegated Domain Admins

This page shows all the accounts with some administration rights on the domain. To enable delegations on the domain, click the INIT DOMAIN button. If the domain was already initialised and you changed Roles to any Administrator, or created a new Administrator, you need to click on the button once more to allow the permission to be effective. In that case the button will be labelled RE-INIT DOMAIN.

Distribution List

Distribution lists can be simply created by clicking the + button to open a tabbed modal dialog in which to configure it.

In the first tab you can give a name, an address, and a description to the distribution list; if you want a dynamic mode, that automatically populates the list’s members, refer to section Dynamic Mode.

In the second add Members by simply writing the e-mail addresses in the test field.

Hint

E-mail addresses are auto-completed while typing.

In the third tab, advanced settings can be configured, including the option to notify new members that they have been added to the list and the presence of the distribution list in the GAL. Owners can be added to the list: they will see the lists of which they are owners in a dedicated menu item, where they can edit some details and the members (see Section Distribution lists).

The last tab recaps the settings: now you can either go back to any of the previous tabs and change some of the settings, or proceed to create the distribution list.

Once a distribution list has been created, it can be further configured by adding aliases, which work like e-mail accounts, changing the description, notes, and members, and granting selected users the permission to send e-mails to the distribution list or making them Owners.

Whenever new members are added to a Distribution List, it is necessary to refresh (or restart) the milter service. From the CLI, as the zextras user, execute this command

zextras$ zmmilterctl refresh

Dynamic Mode

Distribution list’s Dynamic Mode allows the automatic management of members. Indeed, each Dynamic Distribution List is identified by a name and by a unique Distribution List URL, which is an LDAP query that automatically populates the members of the Distribution List.

To create a Dynamic Distribution List, the procedure is similar to the normal Distribution Lists: click the + button and provide a Displayed Name name and list Name, then click the Dynamyc Mode switch to access more options, including the Distribution List URL, which is mandatory.

Hint

The Distribution List URL already includes the ldap:/// prefix, so you do not need to add it.

You can also make the list Hidden from GAL and add owners to the list, who can manage the configuration of the list.

Advanced options, like subscription and unsubscription options are available after the creation of the Dynamic Distribution List, when editing it.

Security Groups

This page show the pre-built Security Groups, which are special lists whose members are regular users promoted to an Administration Role. Belonging to any of these Groups allow a regular user to gain some rights and manage specific parts of the Carbonio infrastructure.

See also

To learn more about the rights of the different types of Administrators, please refer to Section Administrative Roles Explained.

Resources

A Resource is a generic object that can be assigned an e-mail address, but, unlike other regular accounts, they do not need any signature, so you can not specify one.

A Resource can be either of type Meeting Room or Equipment: to reserve either of them, send an e-mail to the assigned e-mail address.

A policy can be assigned to Resource, to determine how to react to the booking request, either a manual or automatic acceptance or rejection.

Additional e-mail addresses can be added to the resource, for example to notify the company’s facility manager which meeting rooms are reserved and which are free.

ActiveSync

This page gives information about all accounts connected using the ActiveSync protocol. For each connected device, some information is shown, including its unique Device ID and the time when it last connected. Clicking any of the connections will show additional information, including client data and the device’s ABQ status (see ABQ - Allow/Block/Quarantine device control)

The following actions can be carried out: WIPE DEVICE (bring the connected device back to factory settings), to RESET DEVICE (log out the device from the account), and SUSPEND the connection.

Restore Account

The Restore Account procedure allows you to restore the contents and preferences of a mailbox in the exact status when it was deleted.

When a Restore Account starts, a new account is created (the Destination Account), and all the items existing in the source account at the moment of the deletion are recreated in the destination account, including the folder structure and all the user’s data. All restored items will be created in the current primary store unless the Apply HSM Policy after the restore box is checked.

Warning

When restoring data on a new account, shared items consistency is not preserved. This is because the original share rules refer to the original account’s UUID, not to the Destination Account, which has a completely different UUID.

To start the procedure, type an e-mail address in the text-field or select an account from the list.

Then, click on the CONFIG tab and select the options to apply for the Restore:

• To which date and time to restore the account

• On which domain the account should be restored

• Whether to use the last available status of the account

• If External Data Sources should be restored

• Select an e-mail to which send a notification of the successful restore.

  Hint

  This could be the alternate e-mail of the user whose account is being restored.