Security

This section contains guidelines to enforce security on a typical Carbonio installation.

Deploy an SSL certificate

In this section we explain how to add an SSL/TLS certificate to a Carbonio installation, both a single server and a wildcard certificate.

This setup is mandatory if Carbonio is used in conjunction with mobile apps; it is also suggested for any installation in order to avoid the client browser’s warning about an invalid certificate upon connection.

Commercial Certificate Installation

We will describe the procedure by taking into account the following scenario:

  • The server FQDN is mail.example.com

  • No SSL certificate is available for the domain.

In the remainder, replace mail.example.com with your actual server FQDN.

The procedure consists of a few steps and requires console access to the Carbonio server.

Step 1. Certificate Signing Request generation

We start by generating a CSR:

# /opt/zextras/bin/zmcertmgr createcsr comm -new -subject \
"/C=IT/ST=VR/L=Yourtown/O=YourCompany/OU=SampleDepartment/CN=mail.example.com" \
-subjectAltNames mail.example.com

Where the various elements in the subject are the standard fields of an SSL certificate:

  • C: the 2-digit country code

  • ST: State or Province

  • L: City

  • O: Organization Name

  • OU: Organization Unit (Department)

  • CN: Common Name

Note

You can optionally include more than one (alternative) name by simply adding to the end of the command one ore more -subjectAltNames options, followed by the name to add.

Once the command is executed these files will be generated:

/opt/zextras/ssl/carbonio/commercial/commercial.key
/opt/zextras/ssl/carbonio/commercial/commercial.csr

Step 2. Get the certificates from your SSL provider

To complete this step successfully, you need to submit the CSR to the SSL provider and get a commercial certificate in PEM format and save it as /opt/zextras/ssl/carbonio/commercial/commercial.crt.

Moreover, SSL providers supply also the intermediate certificate and the so-called Root CA in a bundled certificate file (“Full Chain CA”), that must be saved as /opt/zextras/ssl/carbonio/commercial/commercial_ca.crt.

How to create a Full Chain CA

However, in some cases, the SSL provider may only provide the intermediate certificate, in which case you need to create the Full CA Chain in order to install the certificate (for further information: https://knowledge.digicert.com/solution/SO16297.html)

If you don’t have a full CA chain bundle, download and save the root and the intermediate CA from your provider to temporary files, for example /tmp/ca_root.crt and /tmp/ca_intermediary.crt, then merge the two previously created temporary files into a single one:

# cat /tmp/ca_intermediary.crt /tmp/ca_root.crt > \
/opt/zextras/ssl/carbonio/commercial/commercial_ca.crt

Step 3. Verification and deploy

Issue the following commands to verify that the certificate and your private key match:

  • become the zextras user

    # su - zextras
    
  • go to the directory where the certificates are stored:

    zextras$ cd /opt/zextras/ssl/carbonio/commercial
    
  • verify the certificates

    zextras$ zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt
    

If the verification is successful, you can deploy the SSL certificate.

# zmcertmgr deploycrt comm commercial.crt commercial_ca.crt

Finally, restart Carbonio.

# zmcontrol restart

Your certificate should now be installed: verify the certificate details by running this command:

# zmcertmgr viewdeployedcrt

Wildcard Certificate Installation

To describe this procedure, we use the same server with FQDN mail.example.com, but in this case there is already a wildcard SSL certificate for domain *.example.com, that was generated on a server other than Carbonio's.

Therefore, you have all the necessary certificates and the procedure in this case is simpler

Step 1. Set up of certificates

The existing PEM certificate and its private key must be save as /opt/zextras/ssl/carbonio/commercial/commercial.crt and /opt/zextras/ssl/carbonio/commercial/commercial.key respectively.

Now, go to /opt/zextras/ssl/carbonio/commercial/ and merge the two certificates into a single one:

# cat commercial.crt commercial.key > commercial_ca.crt

Step 2. Verification and deploy

Issue the following commands to verify that the certificate and your private key match:

  • become the zextras user

    # su - zextras
    
  • go to the directory where the certificates are stored:

    zextras$ cd /opt/zextras/ssl/carbonio/commercial
    
  • verify the certificates

    zextras$ zmcertmgr verifycrt comm commercial.key commercial.crt commercial_ca.crt
    

If the verification is successful, you can deploy the SSL certificate.

# zmcertmgr deploycrt comm commercial.crt commercial_ca.crt

Finally, restart Carbonio.

# zmcontrol restart

Your certificate should now be installed: verify the certificate details by running this command:

# zmcertmgr viewdeployedcrt

Add a DKIM record to Carbonio Installation

This section provides directions to add a DKIM record to the DNS of the domain managed by a Carbonio installation.

DKIM in a nutshell

The DomainKeys Identified Mail (DKIM) is a method to verify that an e-mail was sent from a legitimate mail server. Each e-mail is marked with a digital signature that can be verified by the receiver.

Technically, a TXT record that identifies the SMTP server must be added to the domain’s DNS configuration.

See also

DKIM is an Internet Standard first defined in RFC 6376, later updated in RFC 8301 and RFC 8463.

Create a DKIM record

In order to create a new DKIM record, two steps are necessary. As usual, we are using example.com in our scenario as the domain name: replace it with the actual domain name.

Step 1: Generate DKIM record

Execute the following command to generate a new DKIM record for the domain.

# /opt/zextras/libexec/zmdkimkeyutil -a -d example.com

The output will be similar to the following:

DKIM Data added to LDAP for domain example.com with selector D43CB080-8FE0-11EC-88DF-9958FFC5EFF5
Public signature to enter into DNS:
D43CB080-8FE0-11EC-88DF-9958FFC5EFF5._domainkey IN TXT ( "v=DKIM1; k=rsa; ""p=MIIBIjANBgkqhkiG9w0BAQEFA
AOCAQ8AMIIBCgKCAQEA6fn7z208Gj/UVAL29CeKxhyHrRnals/qs4kWxnWuPK+ogDQjZoD0aUIv6QkUX6Y/KSYUd9qHEy1I7pSNIlyS
ecqeq/YsP5zXzoKD7WmLfE0PGIx0CEtsn4h4MJucm+LNVKziSPVzkVZ0rku15BaBO1bpFd7bvkXMffei3cc2zwrFmFSDVB5P84k1na+
5p1o4NBq3SDn8fks9r6""CJ7dAZQ3LazNmAgenMldkWC7tv+/25CStiz3QQ4GqCn4tp0VW3hWOQm6tRSe1yHEG10XT2cSieFM1w0GzB
XZZEedCK1POmFoOKwgqraxJtqiPdM7i+mjUOy7w1uqJa4fyxjbVp0QIDAQAB" ) ; ----- DKIM key D43CB080-8FE0-11EC-88D
F-9958FFC5EFF5 for example.com

Step 2: Add DKIM record to DNS settings

Edit the DNS settings of the domain and create a new record as follows, using the output of the previous command.

  • Create a new record of type TXT with name D43CB080-8FE0-11EC-88DF-9958FFC5EFF5._domainkey

  • As value of the new record, copy and paste the string within the ( braces ) and make sure that the value does not contain any newline (that is, the value is written on one line):

    v=DKIM1; k=rsa; ""p=MIIBIjANBgkqhkiG9w0BAQEFA
    AOCAQ8AMIIBCgKCAQEA6fn7z208Gj/UVAL29CeKxhyHrRnals/qs4kWxnWuPK+ogDQjZoD0aUIv6QkUX6Y/KSYUd9qHEy1I7pSNIlyS
    ecqeq/YsP5zXzoKD7WmLfE0PGIx0CEtsn4h4MJucm+LNVKziSPVzkVZ0rku15BaBO1bpFd7bvkXMffei3cc2zwrFmFSDVB5P84k1na+
    5p1o4NBq3SDn8fks9r6""CJ7dAZQ3LazNmAgenMldkWC7tv+/25CStiz3QQ4GqCn4tp0VW3hWOQm6tRSe1yHEG10XT2cSieFM1w0GzB
    XZZEedCK1POmFoOKwgqraxJtqiPdM7i+mjUOy7w1uqJa4fyxjbVp0QIDAQAB"
    

    Warning

    Depending on the DNS, it is possible that you need to remove the double quotes, the white spaces, or both!

Test and Verify

There are several tests that can be carried out to verify that the DKIM has been added correctly to the domain DNS and works correctly to sign the outgoing e-mails.

TXT record test

To check that the TXT record has been added to the DNS, issue the following command from any Linux box.

# nslookup -type=txt D43CB080-8FE0-11EC-88DF-9958FFC5EFF5._domainkey.example.com

Make sure that you use the same name used when creating the TXT record.

If the DKIM record has been added correctly, the output contains the record, starting with v=DKIM1. Otherwise, if the DKIM record has not been set correctly, or if there was some issue in retrieving it, you will not see the string v=DKIM1 in the output.

DKIM service enabled

The openDkim service must be running on the Carbonio installation for the outgoing e-mails to be correctly signed. This can be verified in the output of the command

# carbonio prov gs $(zmhostname)|grep -i service

must contain the line:

zimbraServiceEnabled: opendkim

E-mail signature test

To verify that an outgoing e-mail has been correctly signed, the easiest way is to send an e-mail from the domain to a third-party address. The e-mail receiver can then look at the source code of the e-mail (The option is usually called View e-mail source code, Show original, Show e-mail headers or similar in any e-mail client).

In the source code, you should see a line similar to the following:

tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1 ... dkim=pass (2048-bit key) header.d=example.com

Make sure your actual domain name is present instead of example.com.