CentOS 7.x migrate CentOS 7.x postfix, dovecot, squirrelmail server

From Notes_Wiki

Home > CentOS > CentOS 7.x > Email configuration > CentOS 7.x migrate CentOS 7.x postfix, dovecot, squirrelmail server

There is updated article on this at CentOS 8.x migrate CentOS 7.x postfix, dovecot, squirrelmail server

Following steps can be used for migrating a running mail server setup from CentOS 7.x created using CentOS 7.x migrate CentOS 6.x postfix, dovecot, squirrelmail server to another CentOS 7.x machine:

  1. Create a new VM/machine/server with necessary resources (Eg t2.micro) in appropriate region and availability zone.
  2. Add elastic (static public) IP to instance if not done already
  3. In Instance firewall allow ports (22, 25, 80, 443, 143, 993, 110, 995, 587, 465). Or apply security group settings from old server to new server (HTTP, HTTPS, POP3, POP3S, SMTP, SMTPS, IMAP, IMAPS, SSH, Ping)
  4. Create /etc/hosts entry for old-<fqdn> and new-<fqdn> servers (On local workstation)
  5. SSH to new-<fqdn> as centos user (On new server)
    1. sudo su -
    2. yum -y install vim
    3. Allow direct root login with AWS security key pair (155x)
    4. copy self public-key as authorized
    5. Add swap space using CentOS 7.x adding swap space using file
    6. Add history date/time recording using Storing date / time along with commands in history
    7. set hostname as new-<fqdn> in /etc/hostname
    8. hostname new-<fqdn>
    9. Set correct time zone CentOS 7.x Change system timezone
    10. exit from root and centos
  6. Now ssh directly as root user and proceed (On new server)
    1. If new disk is added for /home create required partition and file-system. Then mount the disk or partition on /home as desired
    2. Remember to add /etc/fstab entries for additional partitions or disks.
  7. Open ssh to root@old-<fdqn> (On old server)
    1. ssh-keygen
    2. Add /etc/hosts entry in old server for pointing to new server with name (eg new-<fqdn>)
  8. Copy keys from old server to new server as authorized
  9. On ssh to root@old-<fqdn> (On old server)
    1. Start copy of home folder which might take considerable time
      rsync -aHz --delete /home/ root@new-<fqdn>:/home/
  10. On root ssh (On new server)
    1. yum -y install httpd mod_ssl epel-release
    2. Install and configure firewalld using (refer CentOS 7.x firewalld)
      yum -y install firewalld
      #In /etc/sysconfig/network-scripts/ifcfg-eth0 append ZONE=public
      systemctl restart network
      systemctl restart firewalld
      systemctl enable firewalld
      firewall-cmd --zone=public --add-port=25/tcp --permanent #SMTP
      firewall-cmd --zone=public --add-port=80/tcp --permanent #HTTP
      firewall-cmd --zone=public --add-port=443/tcp --permanent #HTTPS
      firewall-cmd --zone=public --add-port=143/tcp --permanent #IMAP
      firewall-cmd --zone=public --add-port=993/tcp --permanent #IMAPS
      firewall-cmd --zone=public --add-port=110/tcp --permanent #POP3
      firewall-cmd --zone=public --add-port=995/tcp --permanent #POP3S
      firewall-cmd --zone=public --add-port=587/tcp --permanent #Submission
      firewall-cmd --zone=public --add-port=465/tcp --permanent #SMTPS
      firewall-cmd --reload
    3. TODO - Copy firewalld configuration from old server to new server
    4. Install and configure fail2ban by referring CentOS 7.x fail2ban
    5. If custom SSL certificates were used edit /etc/httpd/conf.d/ssl.conf with
      SSLCertificateFile /etc/httpd/conf/ssl.crt
      SSLCertificateKeyFile /etc/httpd/conf/ssl.key
      SSLCACertificateFile /etc/httpd/conf/ca-bundle.pem
      and copy corresponding files from old server to new server
  11. If Installing lets-encrypt SSL certificate was used then
    1. rsync /etc/letsencrypt/ from old server to new server (On old server)
    2. yum -y install python2-certbot-apache (On new server)
    3. crontab -l (On old server)
    4. Configure cron entries for automatic SSL renewal same as old server on new server using crontab -e (On new server)
  12. cat /etc/passwd on old server.
    1. Copy all lines for UID >=500 and append corresponding lines to /etc/passwd on new server.
    2. The number of lines should match 'ls -1 /home | grep -v lost | wc -l'
  13. Be watchful for IDs <500 which might appear in between (eg nscd, dovecot)
  14. Copy /etc/shadow lines of corresponding users from old server to new server
  15. Copy /etc/group lines of corresponding users from old server to new server
  16. Do ls -l /home and all user and group names should appear properly (On new server)
  17. copy custom aliases from /etc/aliases to new server and update root alias appropriately
  18. On new server
    1. newaliases
    2. yum -y install logwatch postfix dovecot
    3. In /etc/hosts add new-<fdqn> <fdqn> against 127.0.0.1
    4. Also change all auth values from 1000 to 500 in various /etc/pam.d files
      grep 1000 /etc/pam.d/*
      #update all files; :%s/1000/500/gc
      sed -i 's/1000/500/' *
    5. yum -y install wget squirrelmail
    6. Disable selinux (setenforce 0, edit /etc/sysconfig/selinux and set SELINUX=disabled)
  19. On old server
    1. rsync /etc/postfix to new-<fqdn>
    2. rsync /etc/dovecot to new-<fqdn>
    3. rsync /etc/httpd to new-<fqdn>
    4. rsync /etc/squirrelmail to new-<fqdn>
    5. rsync /var/www/html to new-<fqdn>
    6. rsync /etc/php.ini to new-<fqdn>
  20. On new server
    1. Start and enable services
      systemctl enable postfix
      systemctl start postfix
      systemctl status postfix
      systemctl start httpd
      systemctl status httpd
      systemctl enable httpd
      systemctl enable dovecot
      systemctl start dovecot
      systemctl status dovecot
  21. Add /etc/hosts entry for new server in laptop and try to open the new server with name and IP.
  22. Repeat /home/ rsync again after it finishes for a second sync
  23. ls -l /home on new-server should recognize all usernames and groupnames properly
  24. During downtime on old server
    1. Stop httpd, dovecot and postfix
    2. Again sync /home
  25. Change production public DNS entries to point to new server. If organization has local private DNS, then perhaps that may also require changes.
  26. Check updated entries via public DNS servers after waiting for a minute or two
  27. Manually copy entries from /root/.ssh/authorized_keys of old server to new server
  28. Comment /etc/host entry in laptop after DNS entry has been changed
  29. systemctl restart postfix (On new server)
    Before this it listens on 127.0.0.1:25, after this it changes to 0.0.0.0:25
  30. Send test email from gmail to server and wait for receiving email on new server
  31. Send test email from new server to gmail and wait for receiving email on Gmail account
  32. Stop old server and add reminder to terminate old server after a few days.
  33. Disassociate elastic IP or static IP of old server.
  34. Try to release it. Raise support ticket if AWS support is required to release the elastic IP.
  35. Fill AWS reverse entry form for new email server.
    1. For this first login into AWS account
    2. Then open https://aws.amazon.com/forms/ec2-email-limit-rdns-request
  36. Set hostname in /etc/hostname file (on new server)
  37. Use "hostname <fqdn>" command to set current hostname (on new server)
  38. CentOS 7.x Configure change password plugin for squirrelmail using poppassd
  39. ssh from backup machine to new server and ensure that new servers SSH keys are recognized preperly


Home > CentOS > CentOS 7.x > Email configuration > CentOS 7.x migrate CentOS 7.x postfix, dovecot, squirrelmail server