Now that Synacor has decided to stop supporting Zimbra OSE it is time to move over to Carbonio CE for my mail server needs. I have looked at many alternatives, but Carbonio is the closest thing out there and as it is built mainly on Zimbra to begin with, it should fit my needs for the time being. While it still has a way to go feature-wise (it’s gui could use some improvement and added features for example) on the plus side, it is under active development and while the support community on Carbonio’s forums is still sparse it should improve as more people move over from the Zimbra product.
Now while there are a few how-to posts out on the web for installing Carbonio CE I’ve found many of them don’t work properly or the instructions are incomplete and produce a broken server. So having tried all of the available instructional posts and experiencing many failed installs, I decided to publish this complete guide. Though your mileage may vary depending on your system, this guide will at least get you a working mail server.
The system I am installing on resides on a TrueNas server in a Byhve virtual Ubuntu machine with 12GB of ram, two Virtual CPUs, two Cores, two Threads and the Boot Loader set to UEFI. This guide will assume you know how to create a VM and can set up your network etc. When you install Ubuntu, set your swap file to match the size of your ram as I have found Carbonio CE likes to load up the swap file and the default 4GB will be insufficient. I also like to create two volumes inside a carbonio dataset: carbonio_root & carbonio_data (which I mount on the new VM as /opt). On install, I gave my host name as “mail” and most of the steps I “sudo su” to “root” as it’s easier when you are installing a lot of stuff at the same time. Notice the naming conventions in the prompts below. If you see: “root@mail:~$” I am root and “zextras@mail:~$” or “zimbra@mail:~$” I am the zextras user or zimbra user respectively.
Summary
- Part One – Prepare Your VM’s Environment
- Part Two – Install Carbonio
- Part Three – Migrate data from Zimbra to Carbonio CE
- Part Four – Set Up LetsEncrypt & DKIM for your Carbonio Domains
- Part Five – Backing up Carbonio CE
- Part Six – How to Update Carbonio CE
- Part Seven – Backing up Carbonio CE backup to Cloud Storage with Restic
- Troubleshooting and Useful Resources
Part One – Prepare Your VM’s Environment:
Note: Re: Webmin and SSH access. I love Webmin as it’s super handy and I always install it on all my VMS. I used to use Putty a lot for ssh access but then I discovered Remote Desktop by Devolutions. It’s an amazing piece of console software for Windows, it’s free and I challenge ANYONE out there to show me a better product! Check it out, you’ll never go back to using anything else after you try Remote Desktop!
- Install webmin
Add webmin repository:root@mail:~$ nano /etc/apt/sources.list
Add the webmin repository info to bottom of “/etc/apt/sources.list” and save:
deb http://download.webmin.com/download/repository sarge contrib
Add key:
root@mail:~$ wget -q -O- http://www.webmin.com/jcameron-key.asc | sudo apt-key add root@mail:~$ sudo apt update root@mail:~$ sudo apt install webmin
- Install Perl socket6 – useful for when Carbonio get’s its IPV6 act together:
root@mail:~$ apt-get install libsocket6-perl
- Switch webmin port to 10001 and use Webmin to update system packages
Note: Unfortunately, Carbonio ALSO uses port 10000 for their admin GUI (why I do not know, since webmin has been using that port forever?!) so we need to switch webmin’s port.
- Assign static IPV$ & IPV6 IP address to zextras server through Netplan:
root@mail:~$ cd /etc/netplan root@mail:~$ nano your.yaml
Hint: I use my DHCP server to auto assign static ipv4/6 to all my VM’s.
# This is the network config written by 'subiquity' network: ethernets: enp0s4: dhcp4: true dhcp6: true version: 2Apply your changes:
root@mail:netplan apply
***STOP HERE AND SNAPSHOT!!!***
- Now it’s time to shut down the VM and snapshot the install so far. Call it “clean_install” or something like that. If anything goes wrong or you make an error, you can return to this point without having to start from scratch.
- Set machine hostname and host file information:
Even though you set the hostname in Ubuntu’s install setup, it never hurts to double check.root@mail:~$ hostnamectl set-hostname mail
Adjust networking > networking configuration >hosts in Webmin as follows:
nameserver 127.0.0.1 nameserver 9.9.9.9 search mail.yourdomain.ca
Make sure /etc/hostname file looks like:
127.0.0.1 localhost.localdomain localhost "servers private IP" mail.yourdomain.ca mail
- Install dnsmasq:
root@mail:~$ apt-get install dnsmasq
Modify dnsmasq.conf:
# ################################### # BEGIN CARBONIO SERVER DNSMASQ CONFIG # ################################### # # Name Servers to use for resolution: # IP addresses below are for Google's public DNS servers; # you may wish instead to use your ISP's upstream servers, # or your AD servers with the DNS Role installed. # What's my Zextras server's domain? domain=yourdomain.ca # mx-host=yourdomain.ca,mail.yourdomain.ca,5 # # Only localhost can talk to me (Zextras Default). # Add this server's RFC1918 IP address if you want # other Zextras servers on the network to query me. listen-address=127.0.0.1 # # DNS A Record-Equivalent(s) go here: address=/mail.yourdomain.ca/10.40.10.51 #Needed for import/export address=/yourdomain.ca/10.40.10.51 # # # DNS PTR Record-Equivalent(s) go here: ptr-record=51.10.40.10.in-addr.arpa,mail.yourdomain.ca # # DNS MX Record-Equivalent(s) go here: srv-host=_autodiscover._tcp.yourdomain.ca.,mail.yourdomain.ca.,443 # # Increase the number of host lookups cached from the default 150 cache-size=9500 # bind-interfaces # ################################### # END CARBONIO SERVER DNSMASQ CONFIG # ###################################
Enable dnsmaq:
root@mail:~$ systemctl enable dnsmasq root@mail:~$ systemctl restart dnsmasq
***STOP HERE AND SNAPSHOT!!!***
- Shut down VM and snapshot again. Call the snap “before Carbonio”:
root@mail:~$ poweroff -f
Test DNS using host command:
root@mail:~$ dig yourdomain.ca mx
You should see results similar to the following:
; <<>> DiG 9.16.1-Ubuntu <<>> yourdomain.ca mx ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28032 ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;yourdomain.ca. IN MX ;; ANSWER SECTION: yourdomain.ca. 0 IN MX 5 mail.yourdomain.ca. ;; ADDITIONAL SECTION: mail.yourdomain.ca. 0 IN A 10.40.10.51
Ensure your hostname is returned correctly:
root@mail:~$ host $(hostname)
You should see your private IP returned like so:
root@mail:~$ mail has address 10.40.10.51
Part Two – Install Carbonio:
- Add zextras repository. Download the following script using:
root@mail:~$ wget https://repo.zextras.io/inst_repo_ubuntu.sh
Give the script execution rights:
root@mail:~$ chmod +x inst_repo_ubuntu.sh
Execute the script:
root@mail:~$ ./inst_repo_ubuntu.sh
Update & upgrade repository database
root@mail:~$ apt update -y
- Install Carbonio CE packages:
root@mail:~$ apt install service-discover-server carbonio-directory-server carbonio-proxy carbonio-webui carbonio-files-ui carbonio-admin-login-ui carbonio-mta carbonio-appserver carbonio-user-management carbonio-files-ce carbonio-files-db carbonio-storages-ce carbonio-preview-ce carbonio-docs-connector-ce carbonio-docs-editor carbonio-admin-ui carbonio-admin-console-ui postgresql-12 -y
- Configure and launch Carbonio CE:
root@mail:~$ carbonio-bootstrap
Set some options in the admin menu:
set timezone option = 1 > 6 = 37 apply config y
- Setup Carbonio Mesh & pending setups:
Create a password (mypassword) **store password somewhere as you will need it again for upgrading.root@mail:~$ service-discover setup-wizard *specify your internal ip of the server root@mail:~$ pending-setups **a for all
- Configure Carbonio CE databases:
root@mail:~$ su - postgres -c "psql --command=\"CREATE ROLE carbonio_adm WITH LOGIN SUPERUSER encrypted password 'secretpw16charactersmax';\"" root@mail:~$ su - postgres -c "psql --command=\"CREATE DATABASE carbonio_adm owner carbonio_adm;\""
You will see an output similar to this:
$PGPASSWORD=secretpw16charactersmax carbonio-files-db-bootstrap carbonio_adm 127.0.0.1
Restart CARBONIO:
root@mail:~$ su - zextras root@mail:~$ zmcontrol restart root@mail:~$ zmcontrol -v
- Assign a password to the user zextras@carbonio.domain.tld
root@mail:~$ su - zextras zextras@mail:~$ zmprov setpassword zextras@yourdomain.ca mysecretpw
- Configure firewall:
root@mail:~$ ufw status root@mail:~$ ufw allow ssh root@mail:~$ ufw allow 25,80,110,143,443,587,993,995,6071,8636,5222,10001,10050/tcp
- Install Fail2ban:
root@mail:~$ apt-get install fail2ban -y
Create the “/etc/fail2ban/filter.d/carbonio.conf” file and add:
[Definition] failregex = \[ip=<HOST>;\] account - authentication failed for .* \(no such account\)$ \[ip=<HOST>;\] security - cmd=Auth; .* error=authentication failed for .*, invalid password;$ ;oip=<HOST>;.* security - cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$ \[oip=<HOST>;.* SoapEngine - handler exception: authentication failed for .*, account not found$ WARN .*;ip=<HOST>;ua=CarbonioWebClient .* security - cmd=AdminAuth; .* error=authentication failed for .*;$ NOQUEUE: reject: RCPT from .*\[<HOST>\]: 550 5.1.1 .*: Recipient address rejected:Create the “/etc/fail2ban/jail.local” file:
root@mail:~$ nano /etc/fail2ban/jail.local
*Add text below:
[DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1/8 10.40.10.0/24 yourdomain.ca someip/32 someip/32 # "bantime" is the number of seconds that a host is banned. bantime = 600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 3 banaction = ufw banaction_allports = ufw [ufw] enabled = true filter = ufw logpath = /var/log/ufw.log # Carbonio Jails. [carbonio-account] enabled = true filter = carbonio action = iptables-allports[name=carbonio-account] #sendmail[name=carbonio-account, dest=zextras@domain.tld] logpath = /opt/zextras/log/mailbox.log bantime = 600 maxretry = 5 [carbonio-audit] enabled = true filter = carbonio action = iptables-allports[name=carbonio-audit] #sendmail[name=Carbonio-audit, dest=zextras@domain.tld] logpath = /opt/zextras/log/audit.log bantime = 600 maxretry = 5 [carbonio-recipient] enabled = true filter = carbonio action = iptables-allports[name=carbonio-recipient] #sendmail[name=Carbonio-recipient, dest=zextras@domain.tld] logpath = /var/log/carbonio.log bantime = 172800 maxretry = 5 [postfix] enabled = true filter = postfix action = iptables-multiport[name=postfix, port=smtp, protocol=tcp] #sendmail-buffered[name=Postfix, dest=zextras@domain.tld] logpath = /var/log/carbonio.log bantime = 172800 maxretry = 5
Save changes and restart Fail2ban:
root@mail:~$ systemctl restart fail2ban
You can check the status of fail2ban using:
root@mail:~$ fail2ban-client status carbonio-audit
Part Three – Migrate data from Zimbra to Carbonio CE:
Note: A few things you should keep in mind before starting the mailbox export/import process:
* Set the socket timeout on both servers high.
* Check if you have any attachment limits. It’s a good idea to increase attachment size to 50 MB.
-
-
- Set timeout limits:
zimbra@mail:~$ zmprov mcf zimbraMtaMaxMessageSize 52428800
Check current timeout value:
zimbra@mail:~$ zmlocalconfig socket_so_timeout
Change this with higher value to avoid timeouts:
zimbra@mail:~$ zmlocalconfig -e socket_so_timeout=3000000 zimbra@mail:~$ zmlocalconfig --reload
- Extract all user information from the old Zimbra server so we can create them on the new Carbonio server.
Z2C consists of a simple pair of scripts to export LDAP data from an original Zimbra or Carbonio server and import it on a brand new Zimbra or Carbonio server. It’s goal is to migrate accounts and help to dump and restore mailboxes from one server to another.
Let’s install it:root@mail:~$ mkdir /opt/Z2C root@mail:~$ mkdir /opt/Z2C/data root@mail:~$ wget https://www.anahuac.eu/Z2C.tgz root@mail:~$ tar xvf Z2C.tgz
Copy the files:
root@mail:~$ cp Z2C/* /opt/Z2C/
Give the script execution rights:
root@mail:~$ chmod +x /opt/Z2C/z2c.sh
Change ownership
root@mail:~$ chown -R zimbra:zimbra /opt/Z2C/
Execute the script as zimbra to export the data:
root@mail:~$ su - zimbra zimbra@mail:~$ cd /opt/Z2C zimbra@mail:~$ ./z2c.sh
- Transfer the Z2C account data. In OLD Zimbra Server run:
root@mail:~$ rsync -auv -e "ssh -C" /opt/Z2C/ root@new_server_ip:/opt/ *First time run or root@mail:~$ rsync -auv -e "ssh -C" /opt/Z2C/ root@new_server_ip:/opt/Z2C/ *Subsequent copies
- Change timeout value back after export:
zimbra@mail:~$ zmlocalconfig -e socket_so_timeout=30000 zimbra@mail:~$ zmlocalconfig --reload
- Set timeout limits:
Import User Data To the New Server
-
***STOP HERE AND SNAPSHOT!!!***
Shut down VM and snapshot again. Call the snap “before carbonio import”
root@mail:~$ poweroff -now
- Import all transferred data into the new server using the following method. Restore all domains & users, etc:
*Edit out spam and ham, galsync accounts out of mail and password files
Use a screen session because this could take a long time depending on no. of users, etc.:root@mail:~$ screen
*Tip: CTRL+a+d to exit screen session and leave it active.
Restore mailbox data:zextras@mail:~$ ./restore.sh
- Import Mailboxes from Zimbra into Zextras.
So far, we have exported all user information from the OLD server to the NEW server. So now we can change the necessary DNS records so that the NEW server can be the active email server. Change DNS records (on your firewall) to make the NEW server an active server. As soon as DNS records propagate, all users can log in to their email account using their existing credentials. But in their account, there will be no previous data. Now we will transfer email data to Carbonio.On OLD server:
When you first run Z2C you will notice it creates a full set of scripts in the Z2C/export directory:script_export_FULL.sh - a list of zmmailbox commands to dump all mailboxes; script_export_TRASH.sh - a list of zmmailbox commands to dump the Trash folder; script_import_FULL.sh - a list of zmmailbox commands to restore all mailboxes; script_import_TRASH.sh - a list of zmmailbox commands to restore the Trash folder; script_import_quota.txt - a list of zmprov commands to restore all accounts quotas if you need it; users.txt - show the list of users dumped from Zimbra server
We will use these scripts now to export mail off of the Zimbra server:
Switch to a screen session:root@mail:~$ screen root@mail:~$ su - zimbra zimbra@mail:~$ cd /opt/Z2C/export zimbra@mail:~$ ./script_export_FULL.sh
Exit screen and have a coffee:
zimbra@mail:~$ ctrl +ad root@mail:~$ screen -r zimbra@mail:~$ ./script_export_TRASH.sh
- Export to new server:
root@mail:~$ rsync -auv -e "ssh -C" /opt/Z2C/data root@new_server_ip:/opt/Z2C/
- Import mail into CARBONIO
Switch to a screen session:root@mail:~$ screen root@mail:~$ su - zextras zextras@mail:~$ cd /opt/Z2C/export zextras@mail:~$ ./script_import_FULL.sh
Exit screen have a coffee
zextras@mail:~$ ctrl +ad root@mail:~$ screen zextras@mail:~$ ./script_import_TRASH.sh
If you get a timeout error (large mailboxes tended to timeout for me) use the following command:
zextras@mail:~$ curl -k -H "Transfer-Encoding: chunked" -u admin:AdminPassword -T /directory_backup_tgz/your_username@your_domain.com.tgz -X POST"https://localhost:6071/service/home/your_username@your_domain.com/?fmt=tgz&resolve=skip"
Note: The only unfortunate thing about the timeout fix above is that you have to import each mailbox manually. It would be nice if Zextras offered the import/export suite as an addon for Carbonio CE but they only offer it on their enterprise edition which starts at 150 mailboxes. Hopefully someone will update the Z2C export/import script so that it exclusively uses the chunked method of importing. Granted, it’s much slower, but it works on large mailboxes and if you follow the instructions above it just means that it takes a bit more time for the users data to show up from the old server – not a deal killer. BTW, I had to use this method to import all my large mailbox accounts.
- Copy Users Filter Rules
Export existing filter user rules (from Zimbra) and save into a file:zimbra@mail:~$ mkdir /opt/Z2C/filters zimbra@mail:~$ cd/opt/Z2C/filters zimbra@mail:~$ zmprov -l ga UserA@yourdomain.com zimbraMailSieveScript > /filters/user.filter_rules.txt
Prepare the output file “/tmp/filter_rules.txt”
zimbra@mail:~$ sed -i -e "1d" /tmp/filter_rules.txt zimbra@mail:~$ sed -i -e 's/zimbraMailSieveScript: //g' /filters/user.filter_rules.txt
Check required folders’ path for the filter rules.
zimbra@mail:~$ cat /filters/user.filter_rules.txt | grep 'fileinto'
Example:
zimbra@mail:~$ cat /tmp/filter_rules.txt | grep 'fileinto' fileinto "TestEmail/TEST2"; fileinto "User5"; fileinto "Admin";
Import prepared filter rules on another user. Copy the filters folder to /opt/Z2C/ on the target server:
zextras@mail:~$ cd /opt/Z2C/filters zextras@mail:~$ zmprov ma UserB@yourdomain.com zimbraMailSieveScript "`cat /tmp/filter_rules.txt`"
Part Four – Set Up LetsEncrypt & DKIM for your Carbonio Domains:
***STOP HERE AND SNAPSHOT BEFORE INSTALLING CERTS!!!***
Note: I followed a bunch of “How to install LetsEncrypt for Carbonio” guides and none of them worked for me. I also tried to use the Carbonio Certificate Installer GUI thingy, but it also does not work, especially when importing existing domains from a previous Zimbra install. The immortal Zimbra/sysadmin expert, Jim Dunphy, has ported over a working Zimbra Letsencrypt method which is described below.
- Install socat (needed for LetsEncrypt):
root@mail:~$ apt install socat
Temporarily change ownership on zextras folder (needed for installing LetsEncrypt)
root@mail:~$ chown zextras:zextras /opt/zextras/ root@mail:~$ su - zextras zextras@mail:~$ wget -O - https://get.acme.sh | sh zextras@mail:~$ exit root@mail:~$ chown root:root /opt/zextras/
- Upload ‘carbonio.sh’ to .acme.sh/deploy directory:
Fix permissions:root@mail:~$ chown zextras:zextras /opt/zextras/.acme.sh root@mail:~$ su - zextra zextras@mail:~$ cd ~/.acme.sh zextras@mail:~$ acme.sh --upgrade
Add access keys to dns_aws.sh & set LetsEncrypt as default
zextras@mail:~$ acme.sh --set-default-ca --server letsencrypt zextras@mail:~$ acme.sh --set-default-chain --preferred-chain ISRG --server letsencrypt
- Issue certs for your domains:
Note: I am also using Route53 on AWS so I am able to automate dns verification (huge timesaver). Read this link for more info and a list of supported DNS providers. The example below shows my AWS (dns_aws) automated check:zextras@mail:~$ acme.sh --issue --keylength 2048 --dns dns_aws -d mail.yourdomain.ca -d mail.addnldomain1.com -d mail.addnldomain2.com -d mail.addnldomain3.ca
- Deploy your certificate:
Note: The example below uses Jim Dunphy’s deploy script which you can download by clicking here.zextras@mail:~$ acme.sh --deploy --deploy-hook carbonio -d mail.yourdomain.ca
View your deployed cert:
zextras@mail:~$ zmcertmgr viewdeployedcrt
View Letsencrypt cert expiry:
zextras@mail:~$ acme.sh --list
- Set up DKIM for Incoming E-mails in Carbonio CE:
Configuring DKIM for outgoing e-mail signing improves the credibility of your messages sent by users on your servers. This happens as the receiving server can validate your e-mail DKIM record. For that to happen, we need to configure OpenDKIM to sign outgoing e-mails. By configuring DKIM to check incoming e-mails any incoming e-mail that lacks domain keys is automatically rejected. To do so we configure the OpenDKIM to check incoming e-mails as follows:
Edit opendkim.conf:root@mail:~$ nano /opt/zextras/conf/opendkim.conf
Set the values for On-NoSignature and Mode respectively to “reject” and “sv”Restart the OpenDKIM service:
root@mail:~$ su - zextras zextras@mail:~$ zmcontrol restart opendkimInstall the install libxml-simple-perl package: root@mail:~$ apt-get install libxml-simple-perl root@mail:~$ su - zimbra
Generate a DKIM key for your domain:
zextras@mail:~$ /opt/zextras/libexec/zmdkimkeyutil -a -d example.tld
Understanding the Output:
The Selector which is the string before ._domainkey, in our case 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB, The Version which is indicated with v= in our case v=DKIM1, The Key type which is indicated with k= in our case k=rsa, The Public key which is indicated with p= in our case p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDY5CBg15nZ2vYnRmrNub6Jn6ghQ2DXQbQgOJ/E5IGziUYEuE2OnxkBm1h3jived21uHjpNy0naOZjLj0xLyyjclVy1chrhSbsGAhe8HLXUsdXyfRvNTq8NWLsUnMEsoomtJCJ/6LYWYU1whOQ9oKZVAwWHSovAWZpByqNMZmFg7QIDAQAB
Adding your DKIM data to the DNS:
Now it’s time to add the DKIM data obtained in the previous section to your DNS. To do so, access your DNS provider, for example, GoDaddy, Network Solutions, etc. Access your DNS management based on your provider’s instructions.
– Add a new TXT entry setting Record Type as TXT.
– Insert your selector as yourSelector._domainkey in the Hostname field.
– Insert your version, key type, and public key, and separated them by ; like v=…;k=…;p=… in the TXT Value field.
– Assign the Time to Live (TTL), for example, let’s use 3600s.
– Save the entry.
Note:If you use Route 53: You can’t paste the entire key in as you will get an error, the keys need to be split as indicated in the example below:
Use this key and paste it into notepad++ and match with the key output by the command above. Note where the double quotes are as this is the ‘split’ point:"v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAdfgrIIBCgKCAQEA6GFaC329i7DTkt02Dzclng9eyxBjxTkDucaCKZm3bw/ovdk8UdDPAYUHiGW65TQ9KyszZPn8x9FnbYIAoYS6yoytWOQTgkOscT3yueCmb+Re0m87EhSMzOyEEKUjbnsKO3p7qVIE5+XgyYmCmt1""pFSX0CAzzpSwIldt1FtyukEiRN7rDcw9SPBfRYYfRxARf3m8UCPmhcD0Ttgn+RgIfu90GvORhGmL73BByJJQO+87WhIEwZ7JlbXO9UyFLocuITl8/UPi9H65urr7ONgBswzHvARD50pvPvDBgFXz3Yac0aLiqI+QxPLCQQLuYH6/X0K1Cz0t7LtNc4UAgpozcHwIDAQAB"
For more info look here.
- Update Carbonio RBL’s via zimbraMtaRestriction
Check your existing settings as Zextras user:zextras@mail:~$ carbonio prov gcf zimbraMtaRestriction zimbraMtaRestriction: reject_invalid_helo_hostname zimbraMtaRestriction: reject_non_fqdn_sender zimbraMtaRestriction: reject_unknown_sender_domain
Modify with new settings (will overwrite old settings):
zextras@mail:~$ carbonio prov mcf \ zimbraMtaRestriction reject_invalid_helo_hostname \ zimbraMtaRestriction reject_non_fqdn_sender \ zimbraMtaRestriction reject_unknown_sender_domain \ zimbraMtaRestriction reject_invalid_hostname \ zimbraMtaRestriction "reject_rbl_client cbl.abuseat.org" \ zimbraMtaRestriction "reject_rbl_client bl.spamcop.net" \ zimbraMtaRestriction "reject_rbl_client sbl.spamhaus.org" \ zimbraMtaRestriction "reject_rbl_client b.barracudacentral.org"
Restart zmmtactl (will take a while, be patient):
zextras@mail:~$ zmmtactl restart
Part Five – Backing up Carbonio CE:
It’s always a good idea to backup your mail in case of disaster. We will use cmbackup, which is a good start as an Open Source solution for backing up Carbonio mail. Cmbackup is still a bit of a work in progress, as it’s ported over from a similar Zimbra backup script but the author, anahuac, is fairly responsive on the Zextras forums if you have issues. It’s unfortunate that Zextras has abandoned us “Suite” users, but hopefully they will re-introduce a Zextras Suite product for CE in the near future.
- Backup Carbonio with cmbackup
Install needed packages:root@mail:~$ apt-get install parallel wget curl sqlite3
Download and install the latest cmbackup package:
root@mail:~$ cd /opt root@mail:~$ wget https://www.anahuac.eu/cmbackup.tgz root@mail:~$ cd cmbackup root@mail:~$ ./install.sh root@mail:~$ su - zextras zextras@mail:~$ cmbackup -v zextras@mail:~$ cmbackup version: 1.2.6
***After install, disable cmbackup cron jobs while testing. If you re-install or update CMBackup, the program will incorrectly create duplicate cron jobs on re-installs or updates (bug). Make sure you delete those jobs from /etc/cron.d or the cron won’t run. I had to backup ALL mailboxes (can’t backup just one – won’t work – bug).
- Time to backup up your mailboxes:
To backup all mail:zextras@mail:~$ cmbackup -f -m user@yourdomain.ca *actually backs up all mailboxes
To back up a user:
zextras@mail:~$ cmbackup -r -m mbox-20231213110928 user@yourdomain.ca
To create an incremental backup:
zextras@mail:~$ cmbackup -i
- Restore mailbox:
List all backups and restore backup:zextras@mail:~$ cmbackup -l
You will get an output like this:
+---------------------------+------------+----------+----------------------------+ | Session Name | Date | Size | Description | +---------------------------+------------+----------+----------------------------+ | full-20231227063546 | 12/27/2023 | 6.5G | Full Backup | | full-20231228013001 | 12/28/2023 | 6.5G | Full Backup | | full-20231229013001 | 12/29/2023 | 6.5G | Full Backup | | full-20231230013001 | 12/30/2023 | 6.5G | Full Backup | | full-20231231013001 | 12/31/2023 | 6.5G | Full Backup | | full-20240101013001 | 01/01/2024 | 6.5G | Full Backup | | full-20240102013001 | 01/02/2024 | 6.5G | Full Backup | | inc-20231227080001 | 12/27/2023 | 96K | Incremental Backup | | inc-20231227120001 | 12/27/2023 | 212K | Incremental Backup | | inc-20231227160001 | 12/27/2023 | 288K | Incremental Backup | | inc-20231227200001 | 12/27/2023 | 336K | Incremental Backup | | inc-20231228000001 | 12/28/2023 | 372K | Incremental Backup | | inc-20231228040001 | 12/28/2023 | 76K | Incremental Backup | | mbox-20180408160808 | 12/28/2023 | 40K | Mailbox | +---------------------------+------------+----------+----------------------------+
Restore a single user from the list above:
zextras@mail:~$ cmbackup -r -m mbox-20180408160808 user@yourdomain.ca
Restore a domain:
zextras@mail:~$ cmbackup -r full-20240102013001
- Now you need to set those jobs in cron to run daily or whatever frequency works for you. I do a full backup daily at 01:30 and incremental backups every four hours. Hint: Webmin is great for setting up those cron jobs.
- Pruning backups
We need to delete old backups or they will eventually kill your system by filling up the /opt partition. Use cmbackup like so to prune backup older than 5 days:zextras@mail:~$ cmbackup -hp 5 days
Add this to your cron job to run once overnight every day. I use: /usr/local/bin/cmbackup -hp 5 days in the cron job running as zextras user.
Part Six – How to Update Carbonio CE:
***STOP HERE AND SNAPSHOT YOUR SYSTEM!!!***
Carbonio CE is not as easy to update as Zimbra and you need to follow the procedure carefully to avoid damaging your install. Also, these instructions are to be executed on each Node, be it the (single) Node in a Single-Server installation, or all the Nodes in a Multi-Server installation. Assuming you have created a snapshot here is the WORKING procedure.
- Check your Zextras services to ensure your system is running ok:
zextras@mail:~$ zmcontrol -v Carbonio Release 22.11.0 zextras@mail:~$ zmcontrol status Host mail.example.com amavis Running antispam Running antivirus Running directory-server Running logger Running mailbox Running memcached Running mta Running opendkim Running proxy Running service webapp Running service-discover Running stats Running zimbra webapp Running zimbraAdmin webapp Running zimlet webapp Running zmconfigd Running - Even though the Carbonio guide says to “Disable Carbonio cron jobs” I would suggest you ignore this directive as Carbonio will instantly re-create the disabled jobs, leaving you with tons of duplicates. What a mess!
- Make a dump of the LDAP Database, especially if the if the upgrade includes the Directory Server. This can be done as follows:
zextras@mail:$ su - zextras zextras@mail:$ mkdir /opt/update_bu zextras@mail:$ /opt/zextras/libexec/zmslapcat /opt/update_bu/ldbackup extras@mail:$ cp /opt/zextras/conf/localconfig.xml /opt/update_bu/ zextras@mail:$ zmcontrol stop zextras@mail:$ exit
- Upgrade your server. Important: Do not install these updates from the webmin UI!
root@mail:$ apt update && apt upgrade --fix-broken
- Bootstrap Carbonio Files database.
Note: Take a close at the list of packages that are going to be upgraded in this process. If it has any DB(-db) package in the upgrade list, then you need to bootstrap the corresponding database by running:PGPASSWORD="supersercret_16_character_password" carbonio-files-db-bootstrap carbonio_adm 127.0.0.1
If you are having problems with Carbonio accepting your password, see Troubleshooting section below for reset instructions.
- Register upgraded packages to Carbonio Mesh:
root@mail:$ pending-setups -a **Password=supersecretPW root@mail:$ reboot
Part Seven – Backing up Carbonio CE backup to the Cloud with Restic:
Coming soon…
Troubleshooting tips
Still not working as you expect? Check out the log files in your VM before you post a comment. Still not working, check your steps carefully, every command has to be issued as it is shown above. If you find any mistakes with this how-to please leave a comment below.
Problems and solutions
- Check the Carbonio forums as they are a good resource for common errors, etc.
- Carbonio not accepting your postgres password:
Note: When you first create your postgres (PG) password in the initial install the limit is 99 characters, but special characters like “=” will break the password in PG. As I used Bitwarden to generate the random password, I think that is what broke it for me. PG accepted the password and I stored it for future use, but when I tried to upgrade as per the above instructions I got an error. Most PG admins agree that a 16 character password is adequate (minus the bad special characters of course). See this post for more info.
If you have issues with an incorrect or forgotten postgres password on upgrade here is how to reset it as root:sudo -u postgres psql postgres=# \password carbonio_adm Enter new password for user "carbonio_adm": Enter it again: postgres=# \q
- Here is a cmbackup command list for your reference:
$ cmbackup -h usage: cmbackup -f [-m,-dl,-al,-ldp, -sig] [-d,-a] <mail/domain> cmbackup -i <mail> cmbackup -r [-m,-dl,-al,-ldp, -sig] [-d,-a] <session> <mail> cmbackup -r [-ro] <session> <mail_origin> <mail_destination> cmbackup -d <session> cmbackup -m Options: -f, --full : Execute full backup of an account, a list of accounts, or all accounts. -i, --incremental : Execute incremental backup for an account, a list of accounts, or all accounts. -l, --list : List all backup sessions that still exist in your disk. -r, --restore : Restore the backup inside the users account. -d, --delete : Delete a session of backup. -hp, --housekeep : Execute the Housekeep to remove old sessions - Zmbhousekeep -m, --migrate : Migrate the database from TXT to SQLITE3 and vice versa. -v, --version : Show the cmbackup version. -h, --help : Show this help Full Backup Options: -m, --mail : Execute a backup of an account, but only the mailbox. -dl, --distributionlist : Execute a backup of a distributionlist instead of an account. -al, --alias : Execute a backup of an alias instead of an account. -ldp, --ldap : Execute a backup of an account, but only the ldap entry. -sig, --signature : Execute a backup of a signature. -d, --domain : Execute a backup of only a set of domains, comma separated -a, --account : Execute a backup of only a set of accounts, comma separated Restore Backup Options: -m, --mail : Execute a restore of an account, but only the mailbox. -dl, --distributionlist : Execute a restore of a distributionlist instead of an account. -al, --alias : Execute a restore of an alias instead of an account. -ldp, --ldap : Execute a restore of an account, but only the ldap entry. -ro, --restoreOnAccount : Execute a restore of an account inside another account. -sig, --signature : Execute a restore of a signature. -d, --domain : Execute a backup of only a set of domains, comma separated -a, --account : Execute a backup of only a set of accounts, comma separated
Fail2Ban is not working with Ubuntu 22.04 and Carbonio new release. I posted detail on Zextras forum.