Security#

This section contains guidelines to enforce security on a typical Carbonio installation.

Add a DKIM Record to Carbonio Installation#

This section provides directions to add a DKIM record to the DNS of the domain managed by a Carbonio installation.

DKIM in a nutshell

The DomainKeys Identified Mail (DKIM) is a method to verify that an e-mail was sent from a legitimate mail server. Each e-mail is marked with a digital signature that can be verified by the receiver.

Technically, a TXT record that identifies the SMTP server must be added to the domain’s DNS configuration.

See also

DKIM is an Internet Standard first defined in RFC 6376, later updated in RFC 8301 and RFC 8463.

Create a DKIM Record#

In order to create a new DKIM record, two steps are necessary. As usual, we are using example.com in our scenario as the domain name: replace it with the actual domain name.

Step 1: Generate DKIM record

Execute the following command to generate a new DKIM record for the domain.

$ /opt/zextras/libexec/zmdkimkeyutil -a -d example.com

The output will be similar to the following:

DKIM Data added to LDAP for domain example.com with selector D43CB080-8FE0-11EC-88DF-9958FFC5EFF5
Public signature to enter into DNS:
D43CB080-8FE0-11EC-88DF-9958FFC5EFF5._domainkey IN TXT ( "v=DKIM1; k=rsa; ""p=MIIBIjANBgkqhkiG9w0BAQEFA
AOCAQ8AMIIBCgKCAQEA6fn7z208Gj/UVAL29CeKxhyHrRnals/qs4kWxnWuPK+ogDQjZoD0aUIv6QkUX6Y/KSYUd9qHEy1I7pSNIlyS
ecqeq/YsP5zXzoKD7WmLfE0PGIx0CEtsn4h4MJucm+LNVKziSPVzkVZ0rku15BaBO1bpFd7bvkXMffei3cc2zwrFmFSDVB5P84k1na+
5p1o4NBq3SDn8fks9r6""CJ7dAZQ3LazNmAgenMldkWC7tv+/25CStiz3QQ4GqCn4tp0VW3hWOQm6tRSe1yHEG10XT2cSieFM1w0GzB
XZZEedCK1POmFoOKwgqraxJtqiPdM7i+mjUOy7w1uqJa4fyxjbVp0QIDAQAB" ) ; ----- DKIM key D43CB080-8FE0-11EC-88D
F-9958FFC5EFF5 for example.com
Step 2: Add DKIM record to DNS settings

Edit the DNS settings of the domain and create a new record as follows, using the output of the previous command.

  • Create a new record of type TXT with name D43CB080-8FE0-11EC-88DF-9958FFC5EFF5._domainkey

  • As value of the new record, copy and paste the string within the ( braces ) and make sure that the value does not contain any newline (that is, the value is written on one line):

    v=DKIM1; k=rsa; ""p=MIIBIjANBgkqhkiG9w0BAQEFA
    AOCAQ8AMIIBCgKCAQEA6fn7z208Gj/UVAL29CeKxhyHrRnals/qs4kWxnWuPK+ogDQjZoD0aUIv6QkUX6Y/KSYUd9qHEy1I7pSNIlyS
    ecqeq/YsP5zXzoKD7WmLfE0PGIx0CEtsn4h4MJucm+LNVKziSPVzkVZ0rku15BaBO1bpFd7bvkXMffei3cc2zwrFmFSDVB5P84k1na+
    5p1o4NBq3SDn8fks9r6""CJ7dAZQ3LazNmAgenMldkWC7tv+/25CStiz3QQ4GqCn4tp0VW3hWOQm6tRSe1yHEG10XT2cSieFM1w0GzB
    XZZEedCK1POmFoOKwgqraxJtqiPdM7i+mjUOy7w1uqJa4fyxjbVp0QIDAQAB"
    

    Warning

    Depending on the DNS, it is possible that you need to remove the double quotes, the white spaces, or both!

Test and Verify#

There are several tests that can be carried out to verify that the DKIM has been added correctly to the domain DNS and works correctly to sign the outgoing e-mails.

TXT record test

To check that the TXT record has been added to the DNS, issue the following command from any Linux box.

# nslookup -type=txt D43CB080-8FE0-11EC-88DF-9958FFC5EFF5._domainkey.example.com

Make sure that you use the same name used when creating the TXT record.

If the DKIM record has been added correctly, the output contains the record, starting with v=DKIM1. Otherwise, if the DKIM record has not been set correctly, or if there was some issue in retrieving it, you will not see the string v=DKIM1 in the output.

DKIM service enabled

The openDkim service must be running on the Carbonio installation for the outgoing e-mails to be correctly signed. This can be verified in the output of the command

$ carbonio prov gs $(zmhostname)|grep -i service

must contain the line:

zimbraServiceEnabled: opendkim
E-mail signature test

To verify that an outgoing e-mail has been correctly signed, the easiest way is to send an e-mail from the domain to a third-party address. The e-mail receiver can then look at the source code of the e-mail (The option is usually called View e-mail source code, Show original, Show e-mail headers or similar in any e-mail client).

In the source code, you should see a line similar to the following:

tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1 ... dkim=pass (2048-bit key) header.d=example.com

Make sure your actual domain name is present instead of example.com.

Securing LDAP#

LDAP passwords used by Carbonio use by default the SHA-512 algorithm. While this algorithm is secure and there exist no know vulnerabilities, some institution may require some more secure algorithm.

Since version 23.4.0, Carbonio supports the storage of LDAP password using the Argon2 algorithm.

SHA-512 remains the default on Carbonio installation, but it is possible to allow the the new algorithm by means of a simple procedure in two steps.

Before starting the procedure, however, it is suggested to make a dump of the LDAP database, using the command (as the zextras user)

zextras$ /opt/zextras/libexec/zmslapcat /tmp

Note

The dump will be saved in the /tmp/ directory, so make sure to copy it to a safe location.

The first step of the procedure is up to the administrator and requires to run as the zextras user the following script, which enables the new Argon2 algorithm

zextras$ /opt/zextras/libexec/scripts/migrate20230217-AddArgon2.pl

Once the script has successfully completed, Argon2 will be used as default for new passwords. From now on, passwords of all new LDAP accounts will be stored using Argon2. Existing password, however, will still use SHA-512.

The second step, indeed, is up to the users: the password of each user will be stored using Argon2 only as soon as they change it.

Hint

The Administrator can force a user to change password from the Carbonio Admin Panel by enabling option This user must change password, that appears in tab General when editing a user under Domains ‣ Accounts. See section Accounts for details.