Instalasi Zextras Carbonio

Kali ini saya akan mencoba melakukan instalasi Zextras Carbonio Community Edition.
Di tutorial kali ini saya menggunakan Ubuntu 22.04

Disini saya menggunakan:
– Domain: warscloud.online
– IP: 103.152.233.108

Pre Configuration

Pointing record MX dan A

Jangan lupa untuk domain reverse nya juga (PTR)

Lakukan update & upgrade

sudo apt update && sudo apt upgrade -y

Set hostname (FQDN)

sudo hostnamectl set-hostname mail.warscloud.online

Konfigurasi /etc/hosts

sudo nano /etc/hosts

Sehingga menjadi seperti berikut

127.0.0.1 localhost
103.152.233.108         mail.warscloud.online           mail

Lakukan pengecekan

dig mx warscloud.online

Output

; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> mx warscloud.online
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41637
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;warscloud.online.              IN      MX

;; ANSWER SECTION:
warscloud.online.       120     IN      MX      0 mail.warscloud.online.

;; Query time: 27 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Sat Aug 24 15:47:09 UTC 2024
;; MSG SIZE  rcvd: 66

Pengecekan PTR

nslookup 103.152.233.108

Output

108.233.152.103.in-addr.arpa    name = mail.warscloud.online.

Reboot/Restart

sudo reboot now

Instalasi Repository

Isi form melalui link berikut untuk mendapatkan link repository dari zextras, nantinya script penambahan repo dikirim melalui email oleh zextras

https://zextras.com/carbonio-community-edition#discoverproduct

Lakukan penginstalan sesuai dengan instruksi yang terdapat pada email dari zextras

Instalasi

Download script instalasi

wget https://docs.zextras.com/carbonio-ce/html/_downloads/bed211d6fc1b9ca35f15be01eb9aa3fc/install_carbonio_ce_singleserver_ubuntu.sh

Berikan permission execute

sudo chmod +x install_carbonio_ce_singleserver_ubuntu.sh

Jalankan script instalasi

sudo ./install_carbonio_ce_singleserver_ubuntu.sh

Maka proses instalasi akan berjalan, tunggu hingga muncul tampilan berikut

Masukkan IP publik

Ketika instalasi telah selesai akan muncul seperti ini

Simpan dan catat password

Post Configuration

Set password Zextras admin, jika pas zimbra untuk akun adminnya adalah [email protected] di Zextras Carbonio akun adminnya adalah [email protected]

Gunakan user root

su - zextras
zmprov setpassword [email protected] PasswordBaru

Masuk ke halaman webmail

https://mail.namadomain.com
atau
https://IPADDRESS

Masuk ke halaman web admin

https://mail.namadomain.com:6071
atau
https://IPADDRESS:6071

Install SSL Lets’Encrypt

Install certbot menggunakan snap

sudo snap install --classic certbot

Buat symlink binary certbot

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Cek apakah cerbot sudah bisa digunakan

certbot --version

Generate Certificate

certbot certonly --key-type rsa --preferred-chain "ISRG Root X1" -d mail.warscloud.online

Maka akan muncul beberapa pertanyaan seperti berikut

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Runs an HTTP server locally which serves the necessary validation files under
the /.well-known/acme-challenge/ request path. Suitable if there is no HTTP
server already running. HTTP challenge only (wildcards not supported).
(standalone)
2: Saves the necessary validation files to a .well-known/acme-challenge/
directory within the nominated webroot path. A seperate HTTP server must be
running and serving files from the webroot path. HTTP challenge only (wildcards
not supported). (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): [email protected]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in
order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Account registered.
Requesting a certificate for mail.warscloud.online

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/mail.warscloud.online/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/mail.warscloud.online/privkey.pem
This certificate expires on 2024-11-23.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Persiapan Deploy SSL

cp /etc/letsencrypt/live/mail.warscloud.online/privkey.pem /opt/zextras/ssl/carbonio/commercial/commercial.key
cp /etc/letsencrypt/live/mail.warscloud.online/cert.pem /tmp
cp /etc/letsencrypt/live/mail.warscloud.online/chain.pem /tmp
wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt
cat /tmp/ISRG-X1.pem >> /tmp/chain.pem
chown zextras:zextras /opt/zextras/ssl/carbonio/commercial/commercial.key

Verfikasi SSL

su - zextras -c 'zmcertmgr verifycrt comm /opt/zextras/ssl/carbonio/commercial/commercial.key /tmp/cert.pem /tmp/chain.pem'

Output

** Verifying '/tmp/cert.pem' against '/opt/zextras/ssl/carbonio/commercial/commercial.key'
Certificate '/tmp/cert.pem' and private key '/opt/zextras/ssl/carbonio/commercial/commercial.key' match.
** Verifying '/tmp/cert.pem' against '/tmp/chain.pem'
Valid certificate chain: /tmp/cert.pem: OK

Pastikan hasil akhirnya OK, dan bisa lanjut deploy SSL

su - zextras -c 'zmcertmgr deploycrt comm /tmp/cert.pem /tmp/chain.pem'

Restart Service Carbonio

su - zextras -c 'zmcontrol restart'

Cek apakah sudah SSL sudah berhasil di install

Buat Record SFP, DKIM, DMARC

SPF Record

Kamu bisa menggunakan SPF Record yang spesifik terhadap IP mail server

v=spf1 ip4:103.152.233.108 -all

Atau memasukkan opsi include jika domain/subdomain tersebut sudah memiliki SPF record juga

v=spf1 ip4:103.152.233.108 include:mail.warscloud.online include:warscloud.online -all

DKIM Record

Generate DKIM

su - zextras
/opt/zextras/libexec/zmdkimkeyutil -a -d warscloud.online -s carbonio

Opsi -s digunakan untuk memilih selector, jika tidak tanpa opsi -s maka akan dibuatkan secara random

Output

DKIM Data added to LDAP for domain warscloud.online with selector carbonio
Public signature to enter into DNS:
carbonio._domainkey     IN      TXT     ( "v=DKIM1; k=rsa; "
          "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsPyMHiRX+lOIIS8b5Ppkyd/PHoCpXk+KsxJGnf2pnER5+dERluK9Z5zikFhDCVEMi8cRM60KzrDdcrHUGEYrKpKM+VyZ4TDEy039ywv7SuGTHDa93OWwM4oBcn1wL1CedskuIpyIcnZIoFHAj2S/l58Qv4MEzQLTlWaPCOMMvENR50XyxX9FFhbZ38kLIycfjU5rKh5jVZ6oBl"
          "6kUe/CFxbUHC+OK+U40CFCx+BP+sC18a6AewduqjRzYp8fp+shRMnQCyAt4qCT1uSgRwNQHdhC6FqoFnOJqnaMlvuvfABAqA9u8dw0/pPQ1dwg3livYK47LV/9yojHdx7GN0b1CQIDAQAB" )  ; ----- DKIM key carbonio for warscloud.online

Jalankan perintah berikut untuk melakukan query untuk DKIM yang sudah di generate

/opt/zextras/libexec/zmdkimkeyutil -q -d warscloud.online

Output nya akan menghasilkan private key dan catatan/record DKIM

DKIM Domain:
warscloud.online

DKIM Selector:
carbonio

DKIM Private Key:
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA7n8AlnddG0GRGzJf1Tx74DF1IhT7u4k9xlZ5vF9z4U79txS
QmT7M7BeE2FJ09V8e3+Qh4wQ4BKhFR+I0C70eHZ4O3FXX9y+F5RzEdUu8hd5g7X
a1K9J0wB2bOS1zG0l8dYYpCe+3p/htf6wN1Ep2jQoGz0XtK0IGuM4ZV2gH7ik1k
TxmRz1I1H9D+Ml4CS+U4T7BtKk+H2FYs6lB7U8Hs/U8Qb8nG7n2w5FdV5k3ZX/l
WfJ8y0GRkxMQuCxMptJo9+ITct3L3vN62lvzPtdkh1R0Zk1GZn5M0JFtAyhP0Rc
k2yHhRU07UEpRmf5+73ztYQbhRY/pNf6KFn6vYQupFq8pRi36TE0hwjX19U9BAV
9wIDAQABAoIBABXyC4Sk8WKgUtMl3Gd7Lg9sZHp2B0M80nH2V9pkU0uP5nGvZTj
27HRklm2hr+h2N3B27SgWcFbp/Ar4dptBF2zU8DeUBYJED8SBmB8w6C9K2A/o/m
dZzD6D0Ki4j9F+x2eL7aNHlGkTWuLj3IKhktI/ULpTq6AsUSy3RjrlKjhr9EHpI
JxHnUyVR35ptTQx4rzwl+FhR7A1wK5KbH0QBCoB6lcbrJ2Tn3YgUkeXosG42FBJx
cAX7hzHjOES0RfMi65X1HlXo0m/X9oM/q5pMOAzw5Z5p/yOS/8tJPx4P1nThLNu
HnZCMQwQCRaaGg6OY2r7mpK1B3ShX4EHU4Ej6jXU8osZj/lKzRcnS+7+UTyb9ij
L/eRwwkAqTCkRX/q3HyCqz+nhUMKZhuLkEA1jN9Mws8Qk3BkDK1sdTrF6GNEQW
AmoDBlZZCwxVm4gtoK0hWQxDsut/ro3SuTovQHUMwDg1xEY96TwQ4k6kHvGdKiF
uZLZey/oGx0Egu7J34J8L4vN/XzqW3S5xZFFDAeC2O/0/oVYe7xi80m8Ub4/AqG
c22K8Y2jK2WqH4R09zhtH0mBxQvS3H7JcC/fvc0w4Knq8VVwE0w/E7EBQ2Ll96g
LgZ6W9c4aQ8ip2Z3j9rXoyGC7vFip9vXb++lx28d5bNcWuXodYY5L40Kz/hk/AD
b6EnyZlmNm2vHn7Rjt8Yv0D/cpEKIuSTN0pSo8NYmhK5OkeuoNPi3+xjG0IAyAk
YomC8Ad9KoF4OjwXwJ2A9zT5kvuj1H0KhTk7w9J54lU8cXgC7VzVJr+kF7U0qFb
W/di/Pg8D6D7bSVcQA6J+IXNf3MQn4hTCRIJAAw4rD3yGjUm9k/HRdCGAE7FxA2
/j+RDnbHtnH6ziidFZwN7uzKo6HBR27BzOshyQF6m6v/t8BSA3SO9gGUKby0l1c
jZoJ3EpHOVB4bHChN4cnJJZ6i8ZkKLXkFA1NGvL7jZAsTr0FhzUz14ZwwuqM7GZ
uF3FBqStHUm+gP+BZSVnJr9gYPHN1fNTiAVIAkIuC4U36EGvCySlYYCbdPt2s00
3zRC8HVPRj6gFjJK9jXoReyx80FQ3gC3S1Nm9A1/Tf/yE5H9nCEdHp3LZRZAkE3
n1zMJuChPqtwDDcFz8R0Zz5xIWuFif9BeZ5uUsZRu2bJ2dcmQMCWxuLPHVDM+4Q
EAnOaWJmKMN0V5UGwzzb8Kcdz5eE5GOGbL1n5rkQZ8prAQBL4/Oxn/n2wYYwGA5
Ml9LgY7pq2ZbkHpcmH9D5wUVbzV77GiUZZfFE1UoehncL2w9V/5T08R0aS+I1DB
yK5kFZyzGs4cNfOj8qehcJW5Q3LUBsI7EXLgrCBNxGUB5h6en1mF0sZR7HQnS1h
0SmbwUbmlQ9xXgTf/fblV3V4n9pXVk3kx+2aLXV4Ir8Ej7kAWOpx8O6CElE5wWT
Szw6KlzVZbO/Je3Z2zEpd+H5LtvpQwgyL29xxzJdZ2hS6eo1cMC7eYwACGDDTez
XtMZmUqfIRptdSKtF5HFlcCmAkQCfOeY5p5frqRZZ5vT8qD/BKP2l2ozCzQhwga
EYEAxQ5JrLO2n7WZWFurLkOjMijGvELwGnv4xF57dM7D1F6P5Z6Z/00DtT8DtdR
CDUpYkmbdD/Xn6TY4Wcn5wCRpCE1Mmwo3L0nGfNCMUfx9yE3cG9yL2dqvsgqk07
IK1c4BeAoH0L9uKXfbb1H3Tk5BmeFBsT/N09Omc3Pq2K6xjw3A1xKpDDBLpPfp5
FzAs7R76oETpY9G9AfE3s8G1KJDRKP/l+Eb1L/gYzjc0iBjfERLr5WZWrZ6qBhh
dEexbKDwdFZsC7D1tsIrjGKT5LKsk0A2hCkT+3kCB8R0Y44RmrYlGxdpuqPbnE5
yIlmBQlLk/qWzP5M7HVkPa0vGmVSc0nSJE1uFZy5Gy0esn0KT7ubRZfY8P4oF2j
YkwWpMk5JhpnW6H6z5IVkD0fbmn+fZP6Mj5JcSgM0s3DJTk9PLhSRf+zyKTkfjT
zpxJlZmCP6PAo1QGslxexyD7GyS2eV7DNkWV/wB/sojj68P+z2HzOoyZ8BZHk08
AkRvlKwcGxMEJlccw9K8MGAkRm5k63jtB24+a1b2P8QHCh7gkXYXJkeP4bhD+qO
akZC/cakktwpRUUbNugzLgB0fzLwM9QuWwXVpRlFhYXgZfD4zy+J07k/4iwDAF6
71HtkYb8NBs6R2dyzn/vXXS/qOYF1RM0bu8pLzCKYx2txkCkGn/Wzp8v8zkZSoD
EJh2o8p5ms7gjT5Q36k8T+cF16krCug0P8TzI/qC8KMkCgJEzKiKCF4FPBmhTnt
CCgOPJvAAYjH/1B4FcmwA7msolPZufY8S8Nh5DD2vIBcV8Qcq4FG1H1o4CD4ZkH
T+nNBGjRJ8eGHZ6kC9wD5sBhjLTqk88U0DksgRkpy9HTAANZ4T9U1P3GgK09O2
NmdTMcHDeKlRUuVpC4t4J7KICIIkYgGEXAMPLESIGNATURE
-----END RSA PRIVATE KEY-----

DKIM Public signature:
carbonio._domainkey     IN      TXT     ( "v=DKIM1; k=rsa; "
          "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsPyMHiRX+lOIIS8b5Ppkyd/PHoCpXk+KsxJGnf2pnER5+dERluK9Z5zikFhDCVEMi8cRM60KzrDdcrHUGEYrKpKM+VyZ4TDEy039ywv7SuGTHDa93OWwM4oBcn1wL1CedskuIpyIcnZIoFHAj2S/l58Qv4MEzQLTlWaPCOMMvENR50XyxX9FFhbZ38kLIycfjU5rKh5jVZ6oBl"
          "6kUe/CFxbUHC+OK+U40CFCx+BP+sC18a6AewduqjRzYp8fp+shRMnQCyAt4qCT1uSgRwNQHdhC6FqoFnOJqnaMlvuvfABAqA9u8dw0/pPQ1dwg3livYK47LV/9yojHdx7GN0b1CQIDAQAB" )  ; ----- DKIM key carbonio for warscloud.online

DKIM Identity:
warscloud.online

Perhatikan pada bagian DKIM Public signature:

Salin semua yang ada didalam () tanda kurung, dimulai dari "v=DKIM1; k=rsa; Sampai CQIDAQAB" salin dan tempel kedalam text editor seperti visual studio code atau notepad
Hapus semua tanda " kutip dan spasi yang ada pada key record atau setelah p= sehingga menjadi satu baris

Sehingga menjadi seperti berikut

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsPyMHiRX+lOIIS8b5Ppkyd/PHoCpXk+KsxJGnf2pnER5+dERluK9Z5zikFhDCVEMi8cRM60KzrDdcrHUGEYrKpKM+VyZ4TDEy039ywv7SuGTHDa93OWwM4oBcn1wL1CedskuIpyIcnZIoFHAj2S/l58Qv4MEzQLTlWaPCOMMvENR50XyxX9FFhbZ38kLIycfjU5rKh5jVZ6oBl6kUe/CFxbUHC+OK+U40CFCx+BP+sC18a6AewduqjRzYp8fp+shRMnQCyAt4qCT1uSgRwNQHdhC6FqoFnOJqnaMlvuvfABAqA9u8dw0/pPQ1dwg3livYK47LV/9yojHdx7GN0b1CQIDAQAB

Salin dan buatkan record di DNS sehingga seperti berikut, sesuaikan juga selector sesuai dengan yang telah kita definidikan diatas

Cek apakah penulisan dan DKIM sudah benar/valid melalui situs https://dkimcore.org/tools/

Pastekan Key Record lalu klik Check, Jika valid hasilnya akan seperti berikut

DMARC Record

DMARC Record adalah sebuah record yang menentukan kecocokan,laporan, dan aksi yang dijalankan
Berikut adalah Contoh Record DMARC mode Strick dan Relax.

Relax

v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]; sp=quarantine; adkim=r; aspf=r; pct=100

Strict

v=DMARC1; p=reject; rua=mailto:[email protected]; adkim=s; aspf=s;

Gunakan salah satu saja, untuk arti dari parameter-parameter yang ada pada DMARC Record bisa search di google atau ke chatgpt

Contoh disini saya akan menggunakan contoh DMARC yang Strict

Buatkan akun email [email protected] karena kita telah mendefinisikan pada DMARC Record, agar nantinya ketika ada laporan dari mail server lawan akan masuk ke email tersebut.

Coba lakukan pengiriman email sesama pengguna (Internal Server)

Contoh kali ini saya akan mengirim email dari akun [email protected] ke [email protected]

Troubleshoot

Mail Queue Tidak Tampil Setelah Mengganti Port SSH

Ketika kita mengganti port SSH dan membuka menu MTA mail queue tidak terdapat mail server kita dan ketika kita klik restart scan muncul notifikasi merah namun tidak memberikan keterangan apa-apa

Untuk mengatasi nya ikuti langkah berikut

su - zextras
zmprov ms $(hostname -f) zimbraRemoteManagementPort 222

Sesuaikan port yang ditandai warna orange dengan port yang saat ini digunakan

Refresh halaman carbonio admin atau logout-login

Hasil akhirnya adalah MTA mail queue sudah normal kembali

Sumber/referensi:
https://imanudin.com/2024/05/29/instalasi-zextras-carbonio-community-edition-ce-pada-ubuntu-22-04/

https://saad.web.id/2024/01/install-ssl-certificate-lets-encrypt-di-carbonio-ce/

https://imanudin.com/2023/07/10/zextras-carbonio-community-edition-ce-panduan-konfigurasi-dkim/

https://imanudin.com/2023/07/17/zextras-carbonio-community-edition-ce-panduan-konfigurasi-dmarc-domain-based-message-authentication-reporting-and-conformance/