Skip to main content

Now that Synacor has decided to stop supporting Zimbra OSE it is time to move over to Carbonio CE for my mail server needs. I have looked at many alternatives, but Carbonio is the closest thing out there and as it is built mainly on Zimbra to begin with, it should fit my needs for the time being. While it still has a way to go feature-wise (it’s gui could use some improvement and added features for example) on the plus side, it is under active development and while the support community on Carbonio’s forums is still sparse it should improve as more people move over from the Zimbra product.

Now while there are a few how-to posts out on the web for installing Carbonio CE I’ve found many of them don’t work properly or the instructions are incomplete and produce a broken server. So having tried all of the available instructional posts and experiencing many failed installs, I decided to publish this complete guide. Though your mileage may vary depending on your system, this  guide will at least get you a working mail server.

The system I am installing on resides on a TrueNas server in a Byhve virtual Ubuntu machine with 12GB of ram,  two Virtual CPUs, two Cores, two Threads and the Boot Loader set to UEFI. This guide will assume you know how to create a VM and can set up your network etc. When you install Ubuntu, set your swap file to match the size of your ram as I have found Carbonio CE likes to load up the swap file and the default 4GB will be insufficient. I also like to create two volumes inside a carbonio dataset: carbonio_root & carbonio_data (which I mount on the new VM as /opt). On install, I gave my host name as “mail” and most of the steps I “sudo su” to “root” as it’s easier when you are installing a lot of stuff at the same time.  Notice the naming conventions in the prompts below. If you see: “root@mail:~$” I am root and “zextras@mail:~$” or “zimbra@mail:~$” I am the zextras user or zimbra user respectively.

 

Summary

Part One – Prepare Your VM’s Environment:

Note: Re: Webmin and SSH access. I love Webmin as it’s super handy and I always install it on all my VMS. I used to use Putty a lot for ssh access but then I discovered Remote Desktop by Devolutions. It’s an amazing piece of console software for Windows, it’s free and I challenge ANYONE out there to show me a better product! Check it out, you’ll never go back to using anything else after you try Remote Desktop!

  1. Install webmin
    Add webmin repository:

    root@mail:~$ nano /etc/apt/sources.list

    Add the webmin repository info to bottom of “/etc/apt/sources.list” and save:

    deb http://download.webmin.com/download/repository sarge contrib

    Add key:

    root@mail:~$ wget -q -O- http://www.webmin.com/jcameron-key.asc | sudo apt-key add
    root@mail:~$ sudo apt update
    root@mail:~$ sudo apt install webmin
  2. Install Perl socket6 – useful for when Carbonio get’s its IPV6 act together:
    root@mail:~$ apt-get install libsocket6-perl
  3. Switch webmin port to 10001 and use Webmin to update system packages
    Note: Unfortunately,  Carbonio ALSO uses port 10000 for their admin GUI (why I do not know, since webmin has been using that port forever?!) so we need to switch webmin’s port.
  4. Assign static IPV$ & IPV6 IP address to zextras server through Netplan:
    root@mail:~$ cd /etc/netplan
    root@mail:~$ nano your.yaml

    Hint: I use my DHCP server to auto assign static ipv4/6 to all my VM’s.

    # This is the network config written by 'subiquity'
    network:
      ethernets:
        enp0s4:
          dhcp4: true
          dhcp6: true
      version: 2

    Apply your changes:

    root@mail:netplan apply

***STOP HERE AND SNAPSHOT!!!***

  1. Now it’s time to shut down the VM and snapshot the install so far. Call it “clean_install” or something like that. If anything goes wrong or you make an error,  you can return to this point without having to start from scratch.
  2. Set machine hostname and host file information:
    Even though you set the hostname in Ubuntu’s install setup, it never hurts to double check.

    root@mail:~$ hostnamectl set-hostname mail

    Adjust networking > networking configuration >hosts in Webmin as follows:

    nameserver 127.0.0.1
    nameserver 9.9.9.9
    search mail.yourdomain.ca

    Make sure /etc/hostname file looks like:

    127.0.0.1 localhost.localdomain localhost
    "servers private IP" mail.yourdomain.ca mail
  3. Install dnsmasq:
    root@mail:~$ apt-get install dnsmasq

    Modify dnsmasq.conf:

    # ###################################
    # BEGIN CARBONIO SERVER DNSMASQ CONFIG
    # ###################################
    #
    # Name Servers to use for resolution:
    # IP addresses below are for Google's public DNS servers;
    # you may wish instead to use your ISP's upstream servers,
    # or your AD servers with the DNS Role installed.
    # What's my Zextras server's domain?
    domain=yourdomain.ca
    #
    mx-host=yourdomain.ca,mail.yourdomain.ca,5
    #
    # Only localhost can talk to me (Zextras Default).
    # Add this server's RFC1918 IP address if you want
    # other Zextras servers on the network to query me.
    listen-address=127.0.0.1
    #
    # DNS A Record-Equivalent(s) go here:
    address=/mail.yourdomain.ca/10.40.10.51
    #Needed for import/export
    address=/yourdomain.ca/10.40.10.51
    #
    #
    # DNS PTR Record-Equivalent(s) go here:
    ptr-record=51.10.40.10.in-addr.arpa,mail.yourdomain.ca
    #
    # DNS MX Record-Equivalent(s) go here:
    srv-host=_autodiscover._tcp.yourdomain.ca.,mail.yourdomain.ca.,443
    #
    # Increase the number of host lookups cached from the default 150
    cache-size=9500
    #
    bind-interfaces
    # ###################################
    # END CARBONIO SERVER DNSMASQ CONFIG
    # ###################################

    Enable dnsmaq:

    root@mail:~$ systemctl enable dnsmasq
    root@mail:~$ systemctl restart dnsmasq

***STOP HERE AND SNAPSHOT!!!***

  1. Shut down VM and snapshot again. Call the snap “before Carbonio”:
    root@mail:~$ poweroff -f

    Test DNS using host command:

    root@mail:~$ dig yourdomain.ca mx

    You should see results similar to the following:

    ; <<>> DiG 9.16.1-Ubuntu <<>> yourdomain.ca mx
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28032
    ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 1232
    ;; QUESTION SECTION:
    ;yourdomain.ca.                     IN      MX
    
    ;; ANSWER SECTION:
    yourdomain.ca.              0       IN      MX      5 mail.yourdomain.ca.
    
    ;; ADDITIONAL SECTION:
    mail.yourdomain.ca.         0       IN      A       10.40.10.51

    Ensure your hostname is returned correctly:

    root@mail:~$ host $(hostname)

    You should see your private IP returned like so:

    root@mail:~$ mail has address 10.40.10.51

Part Two – Install Carbonio:

  1. Add zextras repository. Download the following script using:
    root@mail:~$ wget https://repo.zextras.io/inst_repo_ubuntu.sh

    Give the script execution rights:

    root@mail:~$ chmod +x inst_repo_ubuntu.sh

    Execute the script:

    root@mail:~$ ./inst_repo_ubuntu.sh

    Update & upgrade repository database

    root@mail:~$ apt update -y
  2. Install Carbonio CE packages:
    root@mail:~$ apt install service-discover-server carbonio-directory-server carbonio-proxy carbonio-webui carbonio-files-ui carbonio-admin-login-ui carbonio-mta carbonio-appserver carbonio-user-management carbonio-files-ce carbonio-files-db carbonio-storages-ce carbonio-preview-ce carbonio-docs-connector-ce carbonio-docs-editor carbonio-admin-ui carbonio-admin-console-ui postgresql-12 -y
  3. Configure and launch Carbonio CE:
    root@mail:~$ carbonio-bootstrap

    Set some options in the admin menu:

    set timezone option = 1 > 6 = 37
    apply config y
  4. Setup Carbonio Mesh & pending setups:
    Create a password (mypassword) **store password somewhere as you will need it again for upgrading.

    root@mail:~$ service-discover setup-wizard *specify your internal ip of the server
    root@mail:~$ pending-setups **a for all
  5. Configure Carbonio CE databases:
    root@mail:~$ su - postgres -c "psql --command=\"CREATE ROLE carbonio_adm WITH LOGIN SUPERUSER encrypted password 'secretpw16charactersmax';\""
    root@mail:~$ su - postgres -c "psql --command=\"CREATE DATABASE carbonio_adm owner carbonio_adm;\""

    You will see an output similar to this:

    $PGPASSWORD=secretpw16charactersmax carbonio-files-db-bootstrap carbonio_adm 127.0.0.1

    Restart CARBONIO:

    root@mail:~$ su - zextras
    root@mail:~$ zmcontrol restart
    root@mail:~$ zmcontrol -v
  6. Assign a password to the user zextras@carbonio.domain.tld
    root@mail:~$ su - zextras
    zextras@mail:~$ zmprov setpassword zextras@yourdomain.ca mysecretpw
  7. Configure firewall:
    root@mail:~$ ufw status
    root@mail:~$ ufw allow ssh
    root@mail:~$ ufw allow 25,80,110,143,443,587,993,995,6071,8636,5222,10001,10050/tcp
  8. Install Fail2ban:
    root@mail:~$ apt-get install fail2ban -y

    Create the “/etc/fail2ban/filter.d/carbonio.conf” file and add:

    [Definition]
    failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$
                \[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$
             ;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
             \[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$
             WARN .*;ip=<HOST>;ua=CarbonioWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$
             NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:

    Create the “/etc/fail2ban/jail.local” file:

    root@mail:~$ nano /etc/fail2ban/jail.local

    *Add text below:

    [DEFAULT]
    # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
    # ban a host which matches an address in this list. Several addresses can be
    # defined using space separator.
    ignoreip = 127.0.0.1/8 10.40.10.0/24 yourdomain.ca someip/32 someip/32 
    # "bantime" is the number of seconds that a host is banned.
    bantime = 600
    # A host is banned if it has generated "maxretry" during the last "findtime"
    # seconds.
    findtime = 600
    
    # "maxretry" is the number of failures before a host get banned.
    maxretry = 3
    banaction = ufw
    banaction_allports = ufw
    
    [ufw]
    enabled = true
    filter  = ufw
    logpath = /var/log/ufw.log
    
    # Carbonio Jails.
    
    [carbonio-account]
    enabled = true
    filter = carbonio
    action = iptables-allports[name=carbonio-account]
    #sendmail[name=carbonio-account, dest=zextras@domain.tld]
    logpath = /opt/zextras/log/mailbox.log
    bantime = 600
    maxretry = 5
    
    [carbonio-audit]
    enabled = true
    filter = carbonio
    action = iptables-allports[name=carbonio-audit]
    #sendmail[name=Carbonio-audit, dest=zextras@domain.tld]
    logpath = /opt/zextras/log/audit.log
    bantime = 600
    maxretry = 5
    
    [carbonio-recipient]
    enabled = true
    filter = carbonio
    action = iptables-allports[name=carbonio-recipient]
    #sendmail[name=Carbonio-recipient, dest=zextras@domain.tld]
    logpath = /var/log/carbonio.log
    bantime = 172800
    maxretry = 5
    
    [postfix]
    enabled = true
    filter = postfix
    action = iptables-multiport[name=postfix, port=smtp, protocol=tcp]
    #sendmail-buffered[name=Postfix, dest=zextras@domain.tld]
    logpath = /var/log/carbonio.log
    bantime = 172800
    maxretry = 5
    

    Save changes and restart Fail2ban:

    root@mail:~$ systemctl restart fail2ban

    You can check the status of fail2ban using:

    root@mail:~$ fail2ban-client status carbonio-audit

Part Three – Migrate data from Zimbra to Carbonio CE:

Note: A few things you should keep in mind before starting the mailbox export/import process:
* Set the socket timeout on both servers high.
* Check if you have any attachment limits. It’s a good idea to increase attachment size to 50 MB.

      1. Set timeout limits:
        zimbra@mail:~$ zmprov mcf zimbraMtaMaxMessageSize 52428800

        Check current timeout value:

        zimbra@mail:~$ zmlocalconfig socket_so_timeout

        Change this with higher value to avoid timeouts:

        zimbra@mail:~$ zmlocalconfig -e socket_so_timeout=3000000
        zimbra@mail:~$ zmlocalconfig --reload
      2. Extract all user information from the old Zimbra server so we can create them on the new Carbonio server.
        Z2C consists of a simple pair of scripts to export LDAP data from an original Zimbra or Carbonio server and import it on a brand new Zimbra or Carbonio server. It’s goal is to migrate accounts and help to dump and restore mailboxes from one server to another.
        Let’s install it:

        root@mail:~$ mkdir /opt/Z2C
        root@mail:~$ mkdir /opt/Z2C/data
        root@mail:~$ wget https://www.anahuac.eu/Z2C.tgz
        root@mail:~$ tar xvf Z2C.tgz

        Copy the files:

        root@mail:~$ cp Z2C/* /opt/Z2C/

        Give the script execution rights:

        root@mail:~$ chmod +x /opt/Z2C/z2c.sh

        Change ownership

        root@mail:~$ chown -R zimbra:zimbra /opt/Z2C/

        Execute the script as zimbra to export the data:

        root@mail:~$ su - zimbra
        zimbra@mail:~$ cd /opt/Z2C
        zimbra@mail:~$ ./z2c.sh
      3. Transfer the Z2C account data. In OLD Zimbra Server run:
        root@mail:~$ rsync -auv -e "ssh -C" /opt/Z2C/ root@new_server_ip:/opt/ *First time run or
        root@mail:~$ rsync -auv -e "ssh -C" /opt/Z2C/ root@new_server_ip:/opt/Z2C/ *Subsequent copies
      4. Change timeout value back after export:
        zimbra@mail:~$ zmlocalconfig -e socket_so_timeout=30000
        zimbra@mail:~$ zmlocalconfig --reload

    Import User Data To the New Server

***STOP HERE AND SNAPSHOT!!!***

Shut down VM and snapshot again. Call the snap “before carbonio import”

root@mail:~$ poweroff -now
  1. Import all transferred data into the new server using the following method. Restore all domains & users, etc:
    *Edit out spam and ham, galsync accounts out of mail and password files
    Use a screen session because this could take a long time depending on no. of users, etc.:

    root@mail:~$ screen

    *Tip: CTRL+a+d to exit screen session and leave it active.
    Restore mailbox data:

    zextras@mail:~$ ./restore.sh
  2. Import Mailboxes from Zimbra into Zextras.
    So far, we have exported all user information from the OLD server to the NEW server. So now we can change the necessary DNS records so that the NEW server can be the active email server. Change DNS records (on your firewall) to make the NEW server an active server. As soon as DNS records propagate, all users can log in to their email account using their existing credentials. But in their account, there will be no previous data. Now we will transfer email data to Carbonio.On OLD server:
    When you first run Z2C you will notice it creates a full set of scripts in the Z2C/export directory:

    script_export_FULL.sh -  a list of zmmailbox commands to dump all mailboxes;
    script_export_TRASH.sh -  a list of zmmailbox commands to dump the Trash folder;
    script_import_FULL.sh -  a list of zmmailbox commands to restore all mailboxes;
    script_import_TRASH.sh -  a list of zmmailbox commands to restore the Trash folder;
    script_import_quota.txt -  a list of zmprov commands to restore all accounts quotas if you need it;
    users.txt -  show the list of users dumped from Zimbra server

    We will use these scripts now to export mail off of the Zimbra server:
    Switch to a screen session:

    root@mail:~$ screen
    root@mail:~$ su - zimbra
    zimbra@mail:~$ cd /opt/Z2C/export
    zimbra@mail:~$ ./script_export_FULL.sh

    Exit screen and have a coffee:

    zimbra@mail:~$ ctrl +ad
    root@mail:~$ screen -r
    zimbra@mail:~$ ./script_export_TRASH.sh
  3. Export to new server:
    root@mail:~$ rsync -auv -e "ssh -C" /opt/Z2C/data root@new_server_ip:/opt/Z2C/
  4. Import mail into CARBONIO
    Switch to a screen session:

    root@mail:~$ screen
    root@mail:~$ su - zextras
    zextras@mail:~$ cd /opt/Z2C/export
    zextras@mail:~$ ./script_import_FULL.sh

    Exit screen have a coffee

    zextras@mail:~$ ctrl +ad
    root@mail:~$ screen
    zextras@mail:~$ ./script_import_TRASH.sh

    If you get a timeout error (large mailboxes tended to timeout for me) use the following command:

    zextras@mail:~$ curl -k -H "Transfer-Encoding: chunked" -u admin:AdminPassword -T /directory_backup_tgz/your_username@your_domain.com.tgz -X POST"https://localhost:6071/service/home/your_username@your_domain.com/?fmt=tgz&resolve=skip"

Note: The only unfortunate thing about the timeout fix above is that you have to import each mailbox manually. It would be nice if Zextras offered the import/export suite as an addon for Carbonio CE but they only offer it on their enterprise edition which starts at 150 mailboxes. Hopefully someone will update the Z2C export/import script so that it exclusively uses the chunked method of importing. Granted, it’s much slower, but it works on large mailboxes and if you follow the instructions above it just means that it takes a bit more time for the users data to show up from the old server – not a deal killer. BTW, I had to use this method to import all my large mailbox accounts.

  1. Copy Users Filter Rules
    Export existing filter user rules (from Zimbra) and save into a file:

    zimbra@mail:~$ mkdir /opt/Z2C/filters
    zimbra@mail:~$ cd/opt/Z2C/filters
    zimbra@mail:~$ zmprov -l ga UserA@yourdomain.com zimbraMailSieveScript > /filters/user.filter_rules.txt

    Prepare the output file “/tmp/filter_rules.txt”

    zimbra@mail:~$ sed -i -e "1d" /tmp/filter_rules.txt
    zimbra@mail:~$ sed -i -e 's/zimbraMailSieveScript: //g' /filters/user.filter_rules.txt

    Check required folders’ path for the filter rules.

    zimbra@mail:~$ cat /filters/user.filter_rules.txt | grep 'fileinto'

    Example:

    zimbra@mail:~$ cat /tmp/filter_rules.txt | grep 'fileinto'
    fileinto "TestEmail/TEST2";
    fileinto "User5";
    fileinto "Admin";
    

    Import prepared filter rules on another user. Copy the filters folder to /opt/Z2C/ on the target server:

    zextras@mail:~$ cd /opt/Z2C/filters
    zextras@mail:~$ zmprov ma UserB@yourdomain.com zimbraMailSieveScript "`cat /tmp/filter_rules.txt`"

Part Four – Set Up LetsEncrypt & DKIM for your Carbonio Domains:

***STOP HERE AND SNAPSHOT BEFORE INSTALLING CERTS!!!***

Note: I followed a bunch of “How to install LetsEncrypt for Carbonio” guides and none of them worked for me. I also tried to use the Carbonio Certificate Installer GUI thingy, but it also does not work, especially when importing existing domains from a previous Zimbra install. The immortal Zimbra/sysadmin expert, Jim Dunphy, has ported over a working Zimbra Letsencrypt method  which is described below.

  1. Install socat (needed for LetsEncrypt):
    root@mail:~$ apt install socat

    Temporarily change ownership on zextras folder (needed for installing LetsEncrypt)

    root@mail:~$ chown zextras:zextras /opt/zextras/
    root@mail:~$ su - zextras
    zextras@mail:~$ wget -O - https://get.acme.sh | sh
    zextras@mail:~$ exit
    root@mail:~$ chown root:root /opt/zextras/
  2. Upload ‘carbonio.sh’ to .acme.sh/deploy directory:
    Fix permissions:

    root@mail:~$ chown zextras:zextras /opt/zextras/.acme.sh
    root@mail:~$ su - zextra
    zextras@mail:~$ cd ~/.acme.sh
    zextras@mail:~$ acme.sh --upgrade

    Add access keys to dns_aws.sh & set LetsEncrypt as default

    zextras@mail:~$ acme.sh --set-default-ca --server letsencrypt
    zextras@mail:~$ acme.sh --set-default-chain --preferred-chain ISRG --server letsencrypt
  3. Issue certs for your domains:
    Note: I am also using Route53 on AWS so I am able to automate dns verification (huge timesaver). Read this link for more info and a list of supported DNS providers. The example below shows my AWS (dns_aws) automated check:

    zextras@mail:~$ acme.sh --issue --keylength 2048 --dns dns_aws -d mail.yourdomain.ca -d mail.addnldomain1.com -d mail.addnldomain2.com -d mail.addnldomain3.ca
  4. Deploy your certificate:
    Note: The example below uses Jim Dunphy’s deploy script which you can download by clicking here.

    zextras@mail:~$ acme.sh --deploy --deploy-hook carbonio -d mail.yourdomain.ca

    View your deployed cert:

    zextras@mail:~$ zmcertmgr viewdeployedcrt

    View Letsencrypt cert expiry:

    zextras@mail:~$ acme.sh --list
  5. Set up DKIM  for Incoming E-mails in Carbonio CE:
    Configuring DKIM for outgoing e-mail signing improves the credibility of your messages sent by users on your servers. This happens as the receiving server can validate your e-mail DKIM record. For that to happen, we need to configure OpenDKIM to sign outgoing e-mails. By configuring DKIM to check incoming e-mails any incoming e-mail that lacks domain keys is automatically rejected. To do so we configure the OpenDKIM to check incoming e-mails as follows:
    Edit opendkim.conf:

    root@mail:~$ nano /opt/zextras/conf/opendkim.conf

    Set the values for On-NoSignature and Mode respectively to “reject” and “sv”Restart the OpenDKIM service:

    root@mail:~$ su - zextras
    zextras@mail:~$ zmcontrol restart opendkimInstall the install libxml-simple-perl package:
    root@mail:~$ apt-get install libxml-simple-perl
    root@mail:~$ su - zimbra

    Generate a DKIM key for your domain:

    zextras@mail:~$ /opt/zextras/libexec/zmdkimkeyutil -a -d example.tld

    Understanding the Output:

    The Selector which is the string before ._domainkey, in our case 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB,
    The Version which is indicated with v= in our case v=DKIM1,
    The Key type which is indicated with k= in our case k=rsa,
    The Public key which is indicated with p= in our case p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDY5CBg15nZ2vYnRmrNub6Jn6ghQ2DXQbQgOJ/E5IGziUYEuE2OnxkBm1h3jived21uHjpNy0naOZjLj0xLyyjclVy1chrhSbsGAhe8HLXUsdXyfRvNTq8NWLsUnMEsoomtJCJ/6LYWYU1whOQ9oKZVAwWHSovAWZpByqNMZmFg7QIDAQAB

    Adding your DKIM data to the DNS:
    Now it’s time to add the DKIM data obtained in the previous section to your DNS. To do so, access your DNS provider, for example, GoDaddy, Network Solutions, etc. Access your DNS management based on your provider’s instructions.
    – Add a new TXT entry setting Record Type as TXT.
    – Insert your selector as yourSelector._domainkey in the Hostname field.
    – Insert your version, key type, and public key, and separated them by ; like v=…;k=…;p=… in the TXT Value field.
    – Assign the Time to Live (TTL), for example, let’s use 3600s.
    – Save the entry.
    Note:If you use Route 53: You can’t paste the entire key in as you will get an error, the keys need to be split as indicated in the example below:
    Use this key and paste it into notepad++ and match with the key output by the command above. Note where the double quotes are as this is the ‘split’ point:

    "v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAdfgrIIBCgKCAQEA6GFaC329i7DTkt02Dzclng9eyxBjxTkDucaCKZm3bw/ovdk8UdDPAYUHiGW65TQ9KyszZPn8x9FnbYIAoYS6yoytWOQTgkOscT3yueCmb+Re0m87EhSMzOyEEKUjbnsKO3p7qVIE5+XgyYmCmt1""pFSX0CAzzpSwIldt1FtyukEiRN7rDcw9SPBfRYYfRxARf3m8UCPmhcD0Ttgn+RgIfu90GvORhGmL73BByJJQO+87WhIEwZ7JlbXO9UyFLocuITl8/UPi9H65urr7ONgBswzHvARD50pvPvDBgFXz3Yac0aLiqI+QxPLCQQLuYH6/X0K1Cz0t7LtNc4UAgpozcHwIDAQAB"

    For more info look here.

  6. Update Carbonio RBL’s via zimbraMtaRestriction
    Check your existing settings as Zextras user:

    zextras@mail:~$ carbonio prov gcf zimbraMtaRestriction
    zimbraMtaRestriction: reject_invalid_helo_hostname
    zimbraMtaRestriction: reject_non_fqdn_sender
    zimbraMtaRestriction: reject_unknown_sender_domain

    Modify with new settings (will overwrite old settings):

    zextras@mail:~$ carbonio prov mcf \
    zimbraMtaRestriction reject_invalid_helo_hostname \
    zimbraMtaRestriction reject_non_fqdn_sender \
    zimbraMtaRestriction reject_unknown_sender_domain \
    zimbraMtaRestriction reject_invalid_hostname  \
    zimbraMtaRestriction "reject_rbl_client cbl.abuseat.org" \
    zimbraMtaRestriction "reject_rbl_client bl.spamcop.net" \
    zimbraMtaRestriction "reject_rbl_client sbl.spamhaus.org" \
    zimbraMtaRestriction "reject_rbl_client b.barracudacentral.org"

    Restart zmmtactl (will take a while, be patient):

    zextras@mail:~$ zmmtactl restart

Part Five – Backing up Carbonio CE:

It’s always a good idea to backup your mail in case of disaster. We will use cmbackup, which is a good start as an Open Source solution for backing up Carbonio mail. Cmbackup is still a bit of a work in progress, as it’s ported over from a similar Zimbra backup script but the author,  anahuac, is fairly responsive on the Zextras forums if you have issues. It’s unfortunate that Zextras has abandoned us “Suite” users, but hopefully they will re-introduce a Zextras Suite product for CE in the near future.

  1. Backup Carbonio with cmbackup
    Install needed packages:

    root@mail:~$ apt-get install parallel wget curl sqlite3

    Download and install the latest cmbackup package:

    root@mail:~$ cd /opt
    root@mail:~$ wget https://www.anahuac.eu/cmbackup.tgz
    root@mail:~$ cd cmbackup
    root@mail:~$ ./install.sh
    root@mail:~$ su - zextras
    zextras@mail:~$ cmbackup -v
    zextras@mail:~$ cmbackup version: 1.2.6

    ***After install, disable cmbackup cron jobs while testing. If you re-install or update CMBackup, the program will incorrectly create duplicate cron jobs on re-installs or updates (bug). Make sure you delete those jobs from /etc/cron.d or the cron won’t run. I had to backup ALL mailboxes (can’t backup just one – won’t work – bug).

  2. Time to backup up your mailboxes:
    To backup all mail:

    zextras@mail:~$ cmbackup -f -m user@yourdomain.ca *actually backs up all mailboxes

    To back up a user:

    zextras@mail:~$ cmbackup -r -m mbox-20231213110928 user@yourdomain.ca

    To create an incremental backup:

    zextras@mail:~$ cmbackup -i
  3. Restore mailbox:
    List all backups and restore backup:

    zextras@mail:~$ cmbackup -l

    You will get an output like this:

    +---------------------------+------------+----------+----------------------------+
    |       Session Name        |    Date    |   Size   |        Description         |
    +---------------------------+------------+----------+----------------------------+
    | full-20231227063546       | 12/27/2023 | 6.5G     | Full Backup                |
    | full-20231228013001       | 12/28/2023 | 6.5G     | Full Backup                |
    | full-20231229013001       | 12/29/2023 | 6.5G     | Full Backup                |
    | full-20231230013001       | 12/30/2023 | 6.5G     | Full Backup                |
    | full-20231231013001       | 12/31/2023 | 6.5G     | Full Backup                |
    | full-20240101013001       | 01/01/2024 | 6.5G     | Full Backup                |
    | full-20240102013001       | 01/02/2024 | 6.5G     | Full Backup                |
    | inc-20231227080001        | 12/27/2023 | 96K      | Incremental Backup         |
    | inc-20231227120001        | 12/27/2023 | 212K     | Incremental Backup         |
    | inc-20231227160001        | 12/27/2023 | 288K     | Incremental Backup         |
    | inc-20231227200001        | 12/27/2023 | 336K     | Incremental Backup         |
    | inc-20231228000001        | 12/28/2023 | 372K     | Incremental Backup         |
    | inc-20231228040001        | 12/28/2023 | 76K      | Incremental Backup         |
    | mbox-20180408160808       | 12/28/2023 | 40K      | Mailbox                    |
    +---------------------------+------------+----------+----------------------------+
    

    Restore a single user from the list above:

    zextras@mail:~$ cmbackup -r -m mbox-20180408160808 user@yourdomain.ca

    Restore a domain:

    zextras@mail:~$ cmbackup -r full-20240102013001
  4. Now you need to set those jobs in cron to run daily or whatever frequency works for you. I do a full backup daily at 01:30 and incremental backups every four hours. Hint: Webmin is great for setting up those cron jobs.
  5. Pruning backups
    We need to delete old backups or they will eventually kill your system by filling up the /opt partition. Use cmbackup like so to prune backup older than 5 days:

    zextras@mail:~$ cmbackup -hp 5 days

    Add this to your cron job to run once overnight every day. I use: /usr/local/bin/cmbackup -hp 5 days in the cron job running as zextras user.

Part Six – How to Update Carbonio CE:

***STOP HERE AND SNAPSHOT YOUR SYSTEM!!!***

Carbonio CE is not as easy to update as Zimbra and you need to follow the procedure carefully to avoid damaging your install. Also, these instructions are to be executed on each Node, be it the (single) Node in a Single-Server installation, or all the Nodes in a Multi-Server installation. Assuming you have created a snapshot here is the WORKING procedure.

  1. Check your Zextras services to ensure your system is running ok:
    zextras@mail:~$ zmcontrol -v
    Carbonio Release 22.11.0
    
    zextras@mail:~$ zmcontrol status
    Host mail.example.com
            amavis                  Running
            antispam                Running
            antivirus               Running
            directory-server        Running
            logger                  Running
            mailbox                 Running
            memcached               Running
            mta                     Running
            opendkim                Running
            proxy                   Running
            service webapp          Running
            service-discover        Running
            stats                   Running
            zimbra webapp           Running
            zimbraAdmin webapp      Running
            zimlet webapp           Running
            zmconfigd               Running
  2. Even though the Carbonio guide says to “Disable Carbonio cron jobs” I would suggest you ignore this directive as Carbonio will instantly re-create the disabled jobs, leaving you with tons of duplicates. What a mess!
  3. Make a dump of the LDAP Database, especially if the if the upgrade includes the Directory Server. This can be done as follows:
    zextras@mail:$ su - zextras
    zextras@mail:$ mkdir /opt/update_bu
    zextras@mail:$ /opt/zextras/libexec/zmslapcat /opt/update_bu/ldbackup
    extras@mail:$ cp /opt/zextras/conf/localconfig.xml /opt/update_bu/
    zextras@mail:$ zmcontrol stop
    zextras@mail:$ exit
  4. Upgrade your server. Important: Do not install these updates from the webmin UI!
    root@mail:$ apt update && apt upgrade --fix-broken
  5. Bootstrap Carbonio Files database.
    Note: Take a close at the list of packages that are going to be upgraded in this process. If it has any DB(-db) package in the upgrade list, then you need to bootstrap the corresponding database by running:

    PGPASSWORD="supersercret_16_character_password" carbonio-files-db-bootstrap carbonio_adm 127.0.0.1

    If you are having problems with Carbonio accepting your password, see Troubleshooting section below for reset instructions.

  6. Register upgraded packages to Carbonio Mesh:
    root@mail:$ pending-setups -a **Password=supersecretPW
    root@mail:$ reboot

     

Part Seven – Backing up Carbonio CE backup to the Cloud with Restic:

Coming soon…

Troubleshooting tips

Still not working as you expect? Check out the log files in your VM before you post a comment. Still not working, check your steps carefully, every command has to be issued as it is shown above.  If you find any mistakes with this how-to please leave a comment below.

Problems and solutions

  • Check the Carbonio forums as they are a good resource for common errors, etc.
  • Carbonio not accepting your postgres password:
    Note: When you first create your postgres (PG) password in the initial install the limit is 99 characters, but special characters like “=” will break the password in PG. As I used Bitwarden to generate the random password, I think that is what broke it for me. PG accepted the password and I stored it for future use, but when I tried to upgrade as per the above instructions I got an error. Most PG admins agree that a 16 character password is adequate (minus the bad special characters of course). See this post for more info.
    If you have issues with an incorrect or forgotten postgres password on upgrade here is how to reset it as root:

    sudo -u postgres psql
    postgres=# \password carbonio_adm
    Enter new password for user "carbonio_adm":
    Enter it again:
    postgres=# \q
  • Here is a cmbackup command list for your reference:
    $ cmbackup -h
    usage: cmbackup -f [-m,-dl,-al,-ldp, -sig] [-d,-a] <mail/domain>
           cmbackup -i <mail>
           cmbackup -r [-m,-dl,-al,-ldp, -sig] [-d,-a] <session> <mail>
           cmbackup -r [-ro] <session> <mail_origin> <mail_destination>
           cmbackup -d <session>
           cmbackup -m
    
    Options:
    
     -f,  --full                      : Execute full backup of an account, a list of accounts, or all accounts.
     -i,  --incremental               : Execute incremental backup for an account, a list of accounts, or all accounts.
     -l,  --list                      : List all backup sessions that still exist in your disk.
     -r,  --restore                   : Restore the backup inside the users account.
     -d,  --delete                    : Delete a session of backup.
     -hp, --housekeep                 : Execute the Housekeep to remove old sessions - Zmbhousekeep
     -m,  --migrate                   : Migrate the database from TXT to SQLITE3 and vice versa.
     -v,  --version                   : Show the cmbackup version.
     -h,  --help                      : Show this help
    
    Full Backup Options:
    
     -m,   --mail                     : Execute a backup of an account, but only the mailbox.
     -dl,  --distributionlist         : Execute a backup of a distributionlist instead of an account.
     -al,  --alias                    : Execute a backup of an alias instead of an account.
     -ldp, --ldap                     : Execute a backup of an account, but only the ldap entry.
     -sig, --signature                : Execute a backup of a signature.
     -d,   --domain                   : Execute a backup of only a set of domains, comma separated
     -a,   --account                  : Execute a backup of only a set of accounts, comma separated
    
    Restore Backup Options:
    
     -m,   --mail                     : Execute a restore of an account,  but only the mailbox.
     -dl,  --distributionlist         : Execute a restore of a distributionlist instead of an account.
     -al,  --alias                    : Execute a restore of an alias instead of an account.
     -ldp, --ldap                     : Execute a restore of an account, but only the ldap entry.
     -ro,  --restoreOnAccount         : Execute a restore of an account inside another account.
     -sig, --signature                : Execute a restore of a signature.
     -d,   --domain                   : Execute a backup of only a set of domains, comma separated
     -a,   --account                  : Execute a backup of only a set of accounts, comma separated
4.5 2 votes
Article Rating
Subscribe
Notify of
guest

6 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
lalaland2024
lalaland2024
25 days ago

Hello, trying a multiserver install in Carbonio CE 24.7.1

1 Mesh + Database
1 Proxy
1 MTA
1 Mailstore

Can’t send via webmail, throws an error. In logs “MTA not found”
Thunderbird send but hangs writing in SentBox..

I did two attempts, same results.

lalaland2024
lalaland2024
17 days ago
Reply to  lalaland2024

Follow up:

  • 1 Mesh + Database.
  • 1 Mailstore
  • 1 MTA
  • 1 Proxy

The installation order solved my problem

Regards.

funifuni
funifuni
2 months ago

port no 10001 and 10050
What porpose? In official zextras page,
I can’t see 10001 and 10050

BelluX
BelluX
6 months ago

Fail2Ban is not working with Ubuntu 22.04 and Carbonio new release. I posted detail on Zextras forum.