Requirements

Requirements#

Each Node must satisfy the Hardware Requirements and Software Requirements below, while on the contrary, Firewall Ports must be opened only on the Node that hosts the corresponding service. For example, port 6071 (secure access to the Admin Panel) must be opened only on the Node featuring the Carbonio Admin Panel.

Hardware Requirements#

For each node, these are the hardware requirements to comply with. The Disk Space mentioned in the table refers only to the Operating System and not the data (e-mail quota and e-mail traffic, number of documents stored, and so on), because space requirements for the data may vary considerably.

Moreover, you must take into account the following:

The Node that hosts Carbonio Storage and therefore the emails, is the node requiring more disk space.
The Carbonio Files service requires 4GB of RAM to start, so make sure that the node hosting it has at least 6GB of RAM
The Video Recording feature requires additional storage, which is difficult to estimate in advance. Indeed, it depends on a number of factors, including: Number of participants and number of webcam active during the recording; length and dimension of the recording, screen sharing of the recording, and so on. As a general rule, a 1 hour recording at 1280x720 with 25 frames per second would occupy around 400MB of disk space in webm format.

Purely as an example, if you give a quota of 5GB to each of the 150 users, you need to assign 780GB of disk space (30GB for the OS and at 750 for user’s total quota) to the node.

Software Requirements#

Carbonio is available for 64-bit CPUs only and can be installed on top of any of these vanilla distributions:

Ubuntu 22.04 LTS Server Edition: choose Ubuntu Server, not Ubuntu Server (minimized)
Ubuntu 24.04 LTS Server Edition: choose Ubuntu Server, not Ubuntu Server (minimized)
RHEL 8 (see specific requirements)
RHEL 9 (see specific requirements)

The following requirements must be satisfied before attempting to install Carbonio.

Python 3, latest version available on the Operating System chosen
Perl, latest version available on the Operating System chosen
Make sure that the /etc/hosts does not contain any IPv6 entries
Locale settings: Carbonio requires strictly en_US.UTF-8 as the default system locale; a different locale may lead to unexpected issues and services not working correctly. Please follow the procedure described in Section Setting System Locale to modify the configuration.

Note

Only Carbonio Components should be installed on a Carbonio Node. Installing additional software is unsupported and may cause conflicts that could compromise Carbonio’s correct functioning. For example, software like Webmin, Cockpit, or Postfix may be using the same ports as Carbonio, therefore interfering with its everyday use.

RHEL Specific Requirements#

You need to satisfy these requirements, depending on the RHEL version you want to install:

RHEL 8#

Repositories

If you plan to install Carbonio on RHEL 8, you need an active subscription to the following repositories, i.e., you must be able to fetch packages from them

BaseOS and the other main repositories:

# subscription-manager repos --enable=rhel-8-for-x86_64-baseos-rpms

Appstream:

# subscription-manager repos --enable=rhel-8-for-x86_64-appstream-rpms

CodeReady:

# subscription-manager repos --enable=codeready-builder-for-rhel-8-x86_64-rpms

EPEL:

# dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm

SELinux

SELinux Must be set to disabled or permissive in file /etc/selinux/config. You can check the current profile using the command

# sestatus

RHEL 9#

Repositories

If you plan to install Carbonio on RHEL 9, you need an active subscription to the following repositories, i.e., you must be able to fetch packages from them

BaseOS and the other main repositories:

# subscription-manager repos --enable=rhel-9-for-x86_64-baseos-rpms

Appstream:

# subscription-manager repos --enable=rhel-9-for-x86_64-appstream-rpms

CodeReady:

# subscription-manager repos --enable=codeready-builder-for-rhel-9-x86_64-rpms

EPEL:

# dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm

SELinux

SELinux Must be set to disabled or permissive in file /etc/selinux/config. You can check the current profile using the command

# sestatus

Ansible Requirements

If you plan to install Carbonio using Ansible (see Section Prepare the Ansible Environment), the Control Node must be equipped with the following software:

Python 3.12
Latest Ansible version (2.6.9)

Moreover, to connect to the Control Node you must use the ssh command with the -A option, e.g.:

$ ssh -A root@mail.example.com

Remember to replace mail.example.com with the name or IP of the control node.

New systemd units to replace zmcontrol

By installing Carbonio on RHEL 9 you will no longer be able to manage Carbonio services with the legacy zmcontrol start <service>, zmcontrol restart <service>, and zmcontrol stop <service> commands. Interaction with services should be done exclusively through systemd commands.

Note

The zmcontrol -v command, used to retrieve Carbonio’s configuration, will continue working as usual.

The following are useful commands that can be used to manage the new systemd units and find the replacement of the zmcontrol commands.

Get the list of all Carbonio services
```
# systemctl list-unit-files
```
Check the status of a service, for example Carbonio Tasks
```
# systemctl status carbonio-tasks.service
```
To manage a service’s start, stop, and restart, replace status in the above command with: start, stop, and restart respectively.
zmcontrol start | stop | restart is no longer available and can not be used as a convenience to restart all Carbonio services at once. This command has been replaced by the following four Component-specific systemd commands, which must be executed on the Node on which the Component is installed.
```
# systemctl start/stop/restart carbonio-directory-server.target
# systemctl start/stop/restart carbonio-appserver.target
# systemctl start/stop/restart carbonio-mta.target
# systemctl start/stop/restart carbonio-proxy.target
```

Additional Requirements#

Acquaintance with the use of CLI is necessary. All carbonio commands must be executed as the zextras user (these commands will feature a zextras$ prompt), while all other commands must be issued as the root user, unless stated otherwise.

Note

The zextras user is created during the Carbonio installation process, it must not be created beforehand.
Give meaningful names to the nodes. For example, call them proxy.example.com, mta.example.com, and so on. Replace example.com with your domain name.
During the installation procedure, you will need to write down some configuration options and their value, because they will be needed in the setup of the next nodes. These information are summarised at the end of each node’s installation: copy them to a safe place and keep them at hand until the end of the installation. Example of values include: the IP address (public or private) of a node or the password of a database user.
Depending on the Components installed on each Node, you need to open in your firewall the ports listed in Firewall Ports for all the services you will offer. In case there are problems in the internal network communication, try to disable the firewall and try again: if it works, there was probably some firewall rule preventing communication.
If none of the Nodes is exposed to the Internet, you need to forward two ports from the public IP: port 25/smtp to the Node featuring the MTA Component to be able to receive mail, and port 443/https to the node installing the Proxy Component to allow users to access their webmail from a remote location
WebSocket must be allowed and a Certificate including their support must be used to access Carbonio if you plan to install the Chats Component, see Section Websocket Protocol
If you plan to enable other protocols (e.g., POP, IMAP) you should forward also these ports accordingly. You can refer to section Firewall Ports for a list. Do not open these ports if you do not need these protocols!
Also, for security reasons, port 6071, to access the Carbonio Admin Panel should never be exposed on the Internet, but reachable only from a VPN tunnel or similar mechanisms
The same applies for SSH access to the Nodes: it should only be enabled from internal/management networks, while any remote access must be done via VPN tunnel or equivalent mechanism
The hostname of each Node must be a FQDN.
Every Node must be able to resolve all other host names

Websocket Protocol#

The WebSocket protocol is used by the Chats component. In case your infrastructure lies behind an application firewall or any firewall featuring DPI, you need to explicitly allow WebSocket packets on port 443, otherwise they will be blocked. Indeed, these firewalls can recognise the type of packets or the application that generated them and would allow only HTTPS traffic on port 443: everything else would be blocked.

Additionally, the certificate that you use for your Carbonio infrastructure must be configured to use WebSockets.

Firewall Ports#

Carbonio employs SSL/TLS for the communication, and to operate properly, it is necessary to allow network communication on specific ports.

The Nodes should be able to communicate with the other Nodes through a dedicated network. The ports listed in the Internal Connections must be forwarded on all nodes, while those in the External Connections should be forwarded only on the node on which the corresponding Component is installed. For example, port 443 should be forwarded only on the node hosting the Proxy Component.

Furthermore, ports in Internal and External connections are grouped according to the Component that require them, so all ports listed in a table must be forwarded only on the Node on which the Component is installed.

Outgoing Traffic

Carbonio requires no specific ports to communicate with the Internet (outgoing traffic), unless you want push notifications to be sent to mobile devices. In this case, the Node installing the Mailstore & Provisioning Component must be able to communicate with the URL https://notifications.zextras.com/firebase/ on port 443.

External Connections#

These ports must be forwarded to the Node installing each Component, to allow communication with remote services on the Internet.

MTA Component

Port	Protocol	Service
25	TCP	Postfix incoming mail
465	TCP	Message Submission over TLS protocol
587	TCP	Port for SMTP autenthicated relay, requires STARTTLS (or opportunistic SSL/TLS)

Warning

These ports should be exposed only if really needed, and preferably only accessible from a VPN tunnel, if possible, to reduce the attack surface.

Proxy Component

Port	Protocol	Service
80	TCP	unsecured connection to the Carbonio web client
110	TCP	external POP3 services
143	TCP	external IMAP services
443	TCP	secure connection to the Carbonio web client
443	TCP	WebSocket protocol [1]
993	TCP	external IMAP secure access
995	TCP	external POP3 secure access
6071	TCP	secure access to the Admin Panel
8636	TCP	access to LDAP address books
5222	TCP	Message Dispatcher, required by the Chats Component

Warning

The IMAP, POP3, and 6071 ports should be exposed only if really needed, and preferably only accessible from a VPN tunnel, if possible, to reduce the attack surface.

Carbonio VideoServer Component

Port	Protocol	Service
20000-40000	UDP	Client connections for the audio and video streams

Internal Connections#

Traffic to these ports must be allowed on the Nodes where the corresponding Component is installed, for a proper communication among Carbonio’s internal services.

Every Node

Port	Protocol	Service
22	TCP	SSH access
8301	TCP and UDP	management of Gossip protocol [2] in the LAN
9100	TCP	Carbonio Monitoring Node exporter
9256	TCP	Carbonio Monitoring Process exporter

Postgres Component

Port	Protocol	Service
5432	TCP	Postgres access
9187	TCP	Postgres data export to Carbonio Monitoring

Directory Server Component

Port	Protocol	Service
389	TCP	unsecure LDAP connection
636	TCP	secure LDAP connection
9330	TCP	LDAP data export to Carbonio Monitoring