Understanding Carbonio CE Email Account Status | Carbonio CE

In this article, we will understand different status of an email account in Carbonio CE. Therefore, we will look into some important questions related to this topic. The questions are:

1. List Of The Status
2. Understanding Status behavior
3. Manage Account Status

List Of The Status

Currently there are five available status that can be applied on any email account. They are:

1. active
2. maintenance
3. locked
4. closed
5. lockout
6. pending

You can enforce these status on an account from both GUI and CLI.

Understanding Status Behavior

Now we will go through some details that will help us to understand the behavior of a status.

active

The main purpose of creating of an account is to be able to send/receive emails on behalf of the respective domain. Therefore, it is the default status assigned to an account after it is being created.

zextras@mail:~$ carbonio prov ca stefania@example.com 123456
3374c439-1873-4af5-9359-89b33cfc5662
zextras@mail:~$

Let’s take a look at the admin panel:

As you can see, if we do not manually set any status during an email account creation the newly created account gets the active status by default.

In this mode, an account is being able to perform all of it’s activities properly. Emails destined to the user that has active status will be delivered to that user’s inbox. The user will also be able to login to their account and access the emails via webmail.

maintenance

Whenever the status of an email account is set as maintenance, the respective user will not be able to login to their mailbox via webmail.

During the login attempt, user will get a notification like this:

But any email destined to this user will be queued by the MTA. As soon as the email account becomes active again, the queued emails destined for this user will be delivered to its mailbox.

zextras@mail:~$ mailq
-Queue ID-  --Size-- ----Arrival Time---- -Sender/Recipient-------
6DD5B202004    2325 Wed Dec 21 13:17:51  zextras@example.com
(host mail.example.com[192.168.1.192] said: 450 4.2.1 Mailbox disabled, not accepting messages (in reply to RCPT TO command))
                                         test4@example.com

-- 2 Kbytes in 1 Request.
zextras@mail:~$

Now, normally an email account is set to maintenance mode by the system administrator when they perform data backup/restore on that account. An account can also be set to maintenance mode during old to new server migration. There can be some other exceptional cases when you may find the maintenance mode useful.

locked

Whenever an email account is set to locked status, the user will be unable to login into the respective account. But any email destined to that email address will be delivered to that account’s mailbox.

After sending a test email to the locked account, we found that the email is successfully delivered to it’s mailbox.

zextras@mail:~$ grep test3 /var/log/carbonio.log
Dec 21 14:43:10 mail amavis[1582658]: (1582658-01) gxjc5XOYww9t FWD from <zextras@example.com> -> <test3@example.com>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as EE8E620200D
Dec 21 14:43:10 mail amavis[1582658]: (1582658-01) Passed CLEAN {RelayedInternal}, ORIGINATING_POST/MYNETS LOCAL [127.0.0.1]:46766 <zextras@example.com> -> <test3@example.com>, Queue-ID: 2B5DA20200E, Message-ID: <798672650.210.1671633789506.JavaMail.zextras@example.com>, mail_id: gxjc5XOYww9t, Hits: -0.999, size: 1758, queued_as: EE8E620200D, 725 ms
Dec 21 14:43:10 mail postfix/smtp[2259063]: 2B5DA20200E: to=<test3@example.com>, relay=127.0.0.1[127.0.0.1]:10032, delay=0.81, delays=0.07/0.01/0.01/0.72, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as EE8E620200D)
Dec 21 14:43:14 mail postfix/lmtp[2259069]: EE8E620200D: to=<test3@example.com>, relay=mail.example.com[192.168.1.192]:7025, delay=4, delays=0/0.01/0.01/4, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)

Meanwhile, during the locked phase if the user tries to login into their webmail they will encounter credentials issue. As soon as the account is unlocked and set to active mode, the user again will be able to login into their email account via webmail.

Now from my experience, I have seen that for several reasons the status of an email address can be set to locked. From system admins point of view, if any account becomes compromised/hacked then system admin can locked that account. Also, system admin can temporarily restrict users from logging into their email account by settings it’s status as locked due to various reasons including legal, audit, financial etc. while keeping the incoming emails to that address ON.

closed

If the status of an email account is set as closed, then the user of that respective account will not be able to login into their webmail.

Also all emails destined to that closed email address will be bounced back to the sender.

zextras@mail:~$ grep test2 /var/log/carbonio.log
Dec 22 12:31:58 mail postfix/smtpd[11847]: NOQUEUE: filter: RCPT from localhost[127.0.0.1]: <zextras@example.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<zextras@example.com> to=<test2@example.com> proto=ESMTP helo=<mail.example.com>
Dec 22 12:31:58 mail amavis[10315]: (10315-01) ESMTP [127.0.0.1]:10026 /opt/zextras/data/amavisd/tmp/amavis-20221222T123158-10315-tZDYfSbq: <zextras@example.com> -> <test2@example.com> Received: from mail.example.com ([127.0.0.1]) by localhost (mail.example.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP for <test2@example.com>; Thu, 22 Dec 2022 12:31:58 +0000 (UTC)
Dec 22 12:31:58 mail amavis[10315]: (10315-01) Checking: fCW3wIZ9mkcr ORIGINATING/MYNETS [127.0.0.1] <zextras@example.com> -> <test2@example.com>
Dec 22 12:31:59 mail amavis[10315]: (10315-01) fCW3wIZ9mkcr FWD from <zextras@example.com> -> <test2@example.com>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 2783220200E
Dec 22 12:31:59 mail amavis[10315]: (10315-01) Passed CLEAN {RelayedInternal}, ORIGINATING/MYNETS LOCAL [127.0.0.1]:40110 <zextras@example.com> -> <test2@example.com>, Queue-ID: CC0F720200D, Message-ID: <191282559.23.1671712318573.JavaMail.zextras@example.com>, mail_id: fCW3wIZ9mkcr, Hits: -, size: 1335, queued_as: 2783220200E, 297 ms
Dec 22 12:31:59 mail postfix/smtp[17192]: CC0F720200D: to=<test2@example.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.45, delays=0.14/0.01/0.01/0.29, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 2783220200E)
Dec 22 12:31:59 mail amavis[10316]: (10316-01) ESMTP [127.0.0.1]:10032 /opt/zextras/data/amavisd/tmp/amavis-20221222T123159-10316-mgTeHmf8: <zextras@example.com> -> <test2@example.com> SIZE=1802 Received: from mail.example.com ([127.0.0.1]) by localhost (mail.example.com [127.0.0.1]) (amavisd-new, port 10032) with ESMTP for <test2@example.com>; Thu, 22 Dec 2022 12:31:59 +0000 (UTC)
Dec 22 12:31:59 mail amavis[10316]: (10316-01) Checking: V2RELDzXQciE ORIGINATING_POST/MYNETS [127.0.0.1] <zextras@example.com> -> <test2@example.com>
Dec 22 12:31:59 mail amavis[10316]: (10316-01) V2RELDzXQciE FWD from <zextras@example.com> -> <test2@example.com>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as CB24F20200D
Dec 22 12:31:59 mail amavis[10316]: (10316-01) Passed CLEAN {RelayedInternal}, ORIGINATING_POST/MYNETS LOCAL [127.0.0.1]:43220 <zextras@example.com> -> <test2@example.com>, Queue-ID: 2783220200E, Message-ID: <191282559.23.1671712318573.JavaMail.zextras@example.com>, mail_id: V2RELDzXQciE, Hits: -0.999, size: 1766, queued_as: CB24F20200D, 664 ms
Dec 22 12:31:59 mail postfix/smtp[17192]: 2783220200E: to=<test2@example.com>, relay=127.0.0.1[127.0.0.1]:10032, delay=0.68, delays=0.01/0.01/0.01/0.66, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as CB24F20200D)
Dec 22 12:31:59 mail postfix/error[17199]: CB24F20200D: to=<test2@example.com>, relay=none, delay=0.03, delays=0/0.02/0/0, dsn=5.0.0, status=bounced (example.com)

As from last line of the log we can see an email from zextras@example.com to test2@example.com is bounced. And if we further search(grep) the log using the id(CB24F20200D), we can see that a non-delivery notification is generated.

zextras@mail:~$ grep CB24F20200D /var/log/carbonio.log
Dec 22 12:31:59 mail postfix/amavisd/smtpd[17198]: CB24F20200D: client=localhost[127.0.0.1]
Dec 22 12:31:59 mail postfix/cleanup[17191]: CB24F20200D: message-id=<191282559.23.1671712318573.JavaMail.zextras@example.com>
Dec 22 12:31:59 mail postfix/qmgr[10724]: CB24F20200D: from=<zextras@example.com>, size=2332, nrcpt=1 (queue active)
Dec 22 12:31:59 mail amavis[10316]: (10316-01) V2RELDzXQciE FWD from <zextras@example.com> -> <test2@example.com>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as CB24F20200D
Dec 22 12:31:59 mail amavis[10316]: (10316-01) Passed CLEAN {RelayedInternal}, ORIGINATING_POST/MYNETS LOCAL [127.0.0.1]:43220 <zextras@example.com> -> <test2@example.com>, Queue-ID: 2783220200E, Message-ID: <191282559.23.1671712318573.JavaMail.zextras@example.com>, mail_id: V2RELDzXQciE, Hits: -0.999, size: 1766, queued_as: CB24F20200D, 664 ms
Dec 22 12:31:59 mail postfix/smtp[17192]: 2783220200E: to=<test2@example.com>, relay=127.0.0.1[127.0.0.1]:10032, delay=0.68, delays=0.01/0.01/0.01/0.66, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as CB24F20200D)
Dec 22 12:31:59 mail postfix/error[17199]: CB24F20200D: to=<test2@example.com>, relay=none, delay=0.03, delays=0/0.02/0/0, dsn=5.0.0, status=bounced (example.com)
Dec 22 12:31:59 mail postfix/bounce[17200]: CB24F20200D: sender non-delivery notification: D215B202011
Dec 22 12:31:59 mail postfix/qmgr[10724]: CB24F20200D: removed
zextras@mail:~$

if we further search(grep) the log using the id(D215B202011) associated with non-delivery notification, we can see that the non-delivery notification is sent to the sender.

zextras@mail:~$ grep D215B202011 /var/log/carbonio.log
Dec 22 12:31:59 mail postfix/cleanup[17191]: D215B202011: message-id=<20221222123159.D215B202011@mail.example.com>
Dec 22 12:31:59 mail postfix/qmgr[10724]: D215B202011: from=<>, size=4112, nrcpt=1 (queue active)
Dec 22 12:31:59 mail postfix/bounce[17200]: CB24F20200D: sender non-delivery notification: D215B202011
Dec 22 12:32:00 mail postfix/lmtp[17201]: D215B202011: to=<zextras@example.com>, relay=mail.example.com[192.168.1.192]:7025, delay=0.27, delays=0/0.01/0.23/0.03, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
Dec 22 12:32:00 mail postfix/qmgr[10724]: D215B202011: removed
zextras@mail:~$

It is also used as a soft delete of an account before the account is completely removed from the server. But as long as an account is marked as a closed account, it will be counted and reflected in the total account status of the server.

lockout

This status is implied on an account if the user exceeds the max number of failed login attempts that is allowed in the accounts configuration or mentioned in the COS which configuration is inherited by the account.

Let me simplify the scenario:

[From /opt/zextras/log/audit.log]
2022-12-22 18:44:09,694 WARN  [qtp667447085-2241://192.168.1.192/service/soap/AuthRequest] [name=test3@example.com;ip=192.168.1.192;oip=192.168.1.5;port=34610;soapId=6af110cb;] security - cmd=Auth; account=test3@example.com; protocol=soap; error=authentication failed for [test3], invalid password;
2022-12-22 18:44:10,680 WARN  [qtp667447085-2267://192.168.1.192/service/soap/AuthRequest] [name=test3@example.com;ip=192.168.1.192;oip=192.168.1.5;port=34616;soapId=6af110cc;] security - cmd=Auth; account=test3@example.com; protocol=soap; error=authentication failed for [test3], invalid password;
2022-12-22 18:44:11,638 WARN  [qtp667447085-2241://192.168.1.192/service/soap/AuthRequest] [name=test3@example.com;ip=192.168.1.192;oip=192.168.1.5;port=34618;soapId=6af110cd;] security - cmd=Auth; account=test3@example.com; protocol=soap; error=authentication failed for [test3], invalid password;
2022-12-22 18:44:12,498 WARN  [qtp667447085-2267://192.168.1.192/service/soap/AuthRequest] [name=test3@example.com;ip=192.168.1.192;oip=192.168.1.5;port=34626;soapId=6af110ce;] security - cmd=Auth; account=test3@example.com; protocol=soap; error=authentication failed for [test3], invalid password;
2022-12-22 18:44:13,421 WARN  [qtp667447085-2267://192.168.1.192/service/soap/AuthRequest] [name=test3@example.com;ip=192.168.1.192;oip=192.168.1.5;port=34642;soapId=6af110cf;] security - cmd=Auth; account=test3@example.com; protocol=soap; error=authentication failed for [test3], invalid password;
2022-12-22 18:44:14,311 WARN  [qtp667447085-2241://192.168.1.192/service/soap/AuthRequest] [name=test3@example.com;ip=192.168.1.192;oip=192.168.1.5;port=34650;soapId=6af110d0;] security - cmd=Auth; account=test3@example.com; protocol=soap; error=authentication failed for [test3], invalid password;
2022-12-22 18:44:15,260 WARN  [qtp667447085-2267://192.168.1.192/service/soap/AuthRequest] [name=test3@example.com;ip=192.168.1.192;oip=192.168.1.5;port=34654;soapId=6af110d1;] security - cmd=Auth; account=test3@example.com; protocol=soap; error=authentication failed for [test3], invalid password;
2022-12-22 18:44:16,128 WARN  [qtp667447085-2241://192.168.1.192/service/soap/AuthRequest] [name=test3@example.com;ip=192.168.1.192;oip=192.168.1.5;port=48306;soapId=6af110d2;] security - cmd=Auth; account=test3@example.com; protocol=soap; error=authentication failed for [test3], invalid password;
2022-12-22 18:44:16,961 WARN  [qtp667447085-2267://192.168.1.192/service/soap/AuthRequest] [name=test3@example.com;ip=192.168.1.192;oip=192.168.1.5;port=48316;soapId=6af110d3;] security - cmd=Auth; account=test3@example.com; protocol=soap; error=authentication failed for [test3], invalid password;
2022-12-22 18:44:17,771 INFO  [qtp667447085-2241://192.168.1.192/service/soap/AuthRequest] [name=test3@example.com;ip=192.168.1.192;oip=192.168.1.5;port=48332;soapId=6af110d4;] security - cmd=Auth; account=test3@example.com; error=account lockout due to too many failed logins;

From the last line we can see, the account has been lockout due to too many failed logins.

We tried to put 11 consecutive wrong/invalid credentials during the login attempts for account test3@example.com to violate the default value(10).

During the 11th time, we found this error.

So now the user can not login to the webmail until the account status is manually set to active or the lockout duration exceeds the default value which is 1 hour.

All the policies related to lockout we have mentioned above will not be applied to an account if password lockout policy is set to TRUE. By default it is set to FALSE.

But during this time all incoming emails destined to this email address will be delivered to it’s mailbox.

pending

The status pending is set to an email account when it is created by still not ready to be used.

We can see, pending@example.com email address is created and set to pending state. Therefore, the user will not be able to login into their webmail.

[From /opt/zextras/log/audit.log]
2022-12-22 20:21:37,861 WARN  [qtp667447085-2875://192.168.1.192/service/soap/AuthRequest] [name=pending@example.com;ip=192.168.1.192;oip=192.168.1.5;port=41682;soapId=6af110f2;] security - cmd=Auth; account=pending@example.com; protocol=soap; error=authentication failed for [pending], account(or domain) status is pending;

Also, any incoming email destined to this address will be bounced back to the sender address.

Dec 22 20:25:04 mail postfix/amavisd/smtpd[402211]: DA8B820200D: client=localhost[127.0.0.1]
Dec 22 20:25:04 mail postfix/cleanup[402199]: DA8B820200D: message-id=<1969396416.138.1671740703977.JavaMail.zextras@example.com>
Dec 22 20:25:04 mail postfix/qmgr[10724]: DA8B820200D: from=<zextras@example.com>, size=2337, nrcpt=1 (queue active)
Dec 22 20:25:04 mail amavis[10313]: (10313-01) Ymy7tuz1AoQ3 FWD from <zextras@example.com> -> <pending@example.com>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as DA8B820200D
Dec 22 20:25:04 mail amavis[10313]: (10313-01) Passed CLEAN {RelayedInternal}, ORIGINATING_POST/MYNETS LOCAL [127.0.0.1]:35548 <zextras@example.com> -> <pending@example.com>, Queue-ID: 32253202010, Message-ID: <1969396416.138.1671740703977.JavaMail.zextras@example.com>, mail_id: Ymy7tuz1AoQ3, Hits: -0.999, size: 1767, queued_as: DA8B820200D, 679 ms
Dec 22 20:25:04 mail postfix/smtp[402200]: 32253202010: to=<pending@example.com>, relay=127.0.0.1[127.0.0.1]:10032, delay=0.7, delays=0.01/0.01/0.01/0.67, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as DA8B820200D)
Dec 22 20:25:04 mail postfix/qmgr[10724]: 32253202010: removed
Dec 22 20:25:04 mail postfix/error[402212]: DA8B820200D: to=<pending@example.com>, relay=none, delay=0.02, delays=0/0.01/0/0.01, dsn=5.0.0, status=bounced (example.com)
Dec 22 20:25:04 mail postfix/cleanup[402199]: DEB7E202011: message-id=<20221222202504.DEB7E202011@mail.example.com>
Dec 22 20:25:04 mail postfix/bounce[402213]: DA8B820200D: sender non-delivery notification: DEB7E202011
Dec 22 20:25:04 mail postfix/qmgr[10724]: DEB7E202011: from=<>, size=4123, nrcpt=1 (queue active)
Dec 22 20:25:04 mail postfix/qmgr[10724]: DA8B820200D: removed
Dec 22 20:25:04 mail postfix/lmtp[402219]: DEB7E202011: to=<zextras@example.com>, relay=mail.example.com[192.168.1.192]:7025, delay=0.05, delays=0.01/0.01/0.01/0.02, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
Dec 22 20:25:04 mail postfix/qmgr[10724]: DEB7E202011: removed

So we can see a test mail from zextras@example.com to pending@example.com is bounced back to the sender email address.

Manage Account Status

You can manage account status from both GUI and CLI. For GUI type management, you have to login into the Carbonio CE admin panel with the admin user. Then by clicking any email account, you can view/modify it’s current settings including the account status.

So that’s it.

😊