Difference between revisions of "CentOS 8.x migrate CentOS 7.x postfix, dovecot, squirrelmail server"
From Notes_Wiki
(Created page with "<yambe:breadcrumb self="Migrate CentOS 7.x postfix, dovecot, squirrelmail server">CentOS 8.x email servers|CentOS 8.x email servers</yambe:breadcrumb> =CentOS 8.x migrate Cent...") |
m |
||
Line 4: | Line 4: | ||
There is older article on this at [[CentOS 7.x migrate CentOS 7.x postfix, dovecot, squirrelmail server]] | There is older article on this at [[CentOS 7.x migrate CentOS 7.x postfix, dovecot, squirrelmail server]] | ||
Following steps can be used for migrating a running mail server setup from CentOS 7.x to CentOS 8.x: | Following steps can be used for migrating a running mail server setup from CentOS 7.x '''or even CentOS 8.x''' to CentOS 8.x: | ||
# Create a new VM/machine/server with necessary resources (Eg t2.micro) in appropriate region and availability zone. | # Create a new VM/machine/server with necessary resources (Eg t2.micro) in appropriate region and availability zone. | ||
# Add elastic (static public) IP to instance if not done already | # Add elastic (static public) IP to instance if not done already | ||
# Optionally add IPv6 address to instance using [[Configure AWS CentOS instance to use IPv6]] | |||
# In Instance firewall allow ports (22, 25, 80, 443, 143, 993, 110, 995, 587, 465). Or apply security group settings from old server to new server (HTTP, HTTPS, POP3, POP3S, SMTP, SMTPS, IMAP, IMAPS, SSH, Ping) | # In Instance firewall allow ports (22, 25, 80, 443, 143, 993, 110, 995, 587, 465). Or apply security group settings from old server to new server (HTTP, HTTPS, POP3, POP3S, SMTP, SMTPS, IMAP, IMAPS, SSH, Ping) | ||
# Create <tt>/etc/hosts</tt> entry for old-<fqdn> and new-<fqdn> servers ('''On local workstation''') | # Create <tt>/etc/hosts</tt> entry for old-<fqdn> and new-<fqdn> servers ('''On local workstation''') | ||
Line 52: | Line 53: | ||
##:: #In /etc/sysconfig/network-scripts/ifcfg-eth0 append ZONE=public | ##:: #In /etc/sysconfig/network-scripts/ifcfg-eth0 append ZONE=public | ||
##:: | ##:: | ||
##:: | ##:: nmcli networking off; nmcli networking on | ||
##:: systemctl restart firewalld | ##:: systemctl restart firewalld | ||
##:: systemctl enable firewalld | ##:: systemctl enable firewalld | ||
Line 107: | Line 108: | ||
## Do <tt>ls -l /home</tt> and all user and group names should appear properly ('''On new server''') | ## Do <tt>ls -l /home</tt> and all user and group names should appear properly ('''On new server''') | ||
# '''On new server''' | # '''On new server''' | ||
## <tt>dnf -y install logwatch postfix dovecot</tt> | ## <tt>dnf -y install logwatch postfix dovecot postfix-pcre</tt> | ||
## copy custom aliases from <tt>/etc/aliases</tt> to new server and update root alias appropriately | ## copy custom aliases from <tt>/etc/aliases</tt> to new server and update root alias appropriately | ||
## <tt>newaliases</tt> | ## <tt>newaliases</tt> | ||
Line 117: | Line 118: | ||
#:: rsync -a /etc/postfix/ root@<new-fqdn>:/etc/postfix/ | #:: rsync -a /etc/postfix/ root@<new-fqdn>:/etc/postfix/ | ||
#:: rsync -a /etc/dovecot/ root@<new-fqdn>:/etc/dovecot/ | #:: rsync -a /etc/dovecot/ root@<new-fqdn>:/etc/dovecot/ | ||
#:: rsync /etc/httpd/ root@<new-fqdn>:/etc/httpd/ | #:: rsync -a /etc/httpd/ root@<new-fqdn>:/etc/httpd/ | ||
#:: rsync /var/www/html/ root@<new-fqdn>:/var/www/html/ | #:: rsync -a /var/www/html/ root@<new-fqdn>:/var/www/html/ | ||
#:: rsync /etc/php.ini root@<new-fqdn>:/etc/php.ini | #:: rsync -a /etc/php.ini root@<new-fqdn>:/etc/php.ini | ||
#:: | #:: | ||
#:: rm /etc/httpd/conf.modules.d/10-php.conf | #:: rm /etc/httpd/conf.modules.d/10-php.conf | ||
Line 134: | Line 135: | ||
##:: systemctl status dovecot | ##:: systemctl status dovecot | ||
##:</pre> | ##:</pre> | ||
##:: Based on https://unix.stackexchange.com/questions/595860/ssl-protocols-has-been-replaced-by-ssl-min-protocol if required update configuration in /etc/dovecot/conf.d/10-ssl.conf | |||
# Add /etc/hosts entry for new server in laptop and try to open the new server with name and IP. | # Add /etc/hosts entry for new server in laptop and try to open the new server with name and IP. | ||
# Repeat /home/ rsync again after it finishes for a second sync | # Repeat /home/ rsync again after it finishes for a second sync | ||
Line 150: | Line 152: | ||
#:: dnf -y install bind-utils telnet nc | #:: dnf -y install bind-utils telnet nc | ||
#:</pre> | #:</pre> | ||
# Add rDNS entry for FQDN to elastic IP in AWS EC2 | |||
# Send test email from gmail to server and wait for receiving email on new server | # Send test email from gmail to server and wait for receiving email on new server | ||
# Send test email from new server to gmail and wait for receiving email on Gmail account | # Send test email from new server to gmail and wait for receiving email on Gmail account | ||
# Stop old server and add reminder to terminate old server after a few days. | # Stop old server and add reminder to terminate old server after a few days. | ||
# Disassociate elastic IP or static IP of old server. | # Disassociate elastic IP or static IP of old server after removing its rDNS entry. | ||
# Try to release it. Raise support ticket if AWS support is required to release the elastic IP. | # Try to release it. Raise support ticket if AWS support is required to release the elastic IP. | ||
# ssh from backup machine to new server and ensure that new servers SSH keys are recognized preperly | # ssh from backup machine to new server and ensure that new servers SSH keys are recognized preperly | ||
# '''TODO''' - Both squirrelmail and roundcube do not seem to be available in default / epel repository on CentOS 8-Stream. Installation of HTTP mail access is pending. | # '''TODO''' - Both squirrelmail and roundcube do not seem to be available in default / epel repository on CentOS 8-Stream. Installation of HTTP mail access is pending. |
Revision as of 16:30, 13 April 2021
<yambe:breadcrumb self="Migrate CentOS 7.x postfix, dovecot, squirrelmail server">CentOS 8.x email servers|CentOS 8.x email servers</yambe:breadcrumb>
CentOS 8.x migrate CentOS 7.x postfix, dovecot, squirrelmail server
There is older article on this at CentOS 7.x migrate CentOS 7.x postfix, dovecot, squirrelmail server
Following steps can be used for migrating a running mail server setup from CentOS 7.x or even CentOS 8.x to CentOS 8.x:
- Create a new VM/machine/server with necessary resources (Eg t2.micro) in appropriate region and availability zone.
- Add elastic (static public) IP to instance if not done already
- Optionally add IPv6 address to instance using Configure AWS CentOS instance to use IPv6
- In Instance firewall allow ports (22, 25, 80, 443, 143, 993, 110, 995, 587, 465). Or apply security group settings from old server to new server (HTTP, HTTPS, POP3, POP3S, SMTP, SMTPS, IMAP, IMAPS, SSH, Ping)
- Create /etc/hosts entry for old-<fqdn> and new-<fqdn> servers (On local workstation)
- SSH to new-<fqdn> as centos user (On new server)
- sudo su -
- Upgrade distro to CentOS 8-Stream if not done already
- dnf -y install gdisk
- dnf -y swap centos-linux-repos centos-stream-repos
- dnf -y distro-sync
- dnf -y install epel-release vim
- dnf -y install byobu
- Allow direct root login with AWS security key pair (155x)
- copy self public-key as authorized
- Add swap space using CentOS 7.x adding swap space using file
- Add history date/time recording using Storing date / time along with commands in history
- set desired hostname using:
- hostnamectl set-hostname <new-hostname>
- Set correct time zone CentOS 8.x Change system timezone
- exit from root and centos
- Now ssh directly as root user and proceed (On new server)
- If new disk is added for /home create required partition and file-system. Then mount the disk or partition on /home as desired
- Remember to add /etc/fstab entries for additional partitions or disks.
- Open ssh to root@old-<fdqn> (On old server)
- ssh-keygen
- Add /etc/hosts entry in old server for pointing to new server with name (eg new-<fqdn>)
- Copy keys from old server to new server as authorized
- On ssh to root@old-<fqdn> (On old server)
- Start copy of home folder which might take considerable time
- rsync -aHz --delete /home/ root@new-<fqdn>:/home/
- Start copy of home folder which might take considerable time
- On root ssh (On new server)
- Install various packages using:
- dnf -y install httpd mod_ssl epel-release php
- Install and configure firewalld using (refer CentOS 7.x firewalld)
- dnf -y install firewalld
- #In /etc/sysconfig/network-scripts/ifcfg-eth0 append ZONE=public
- nmcli networking off; nmcli networking on
- systemctl restart firewalld
- systemctl enable firewalld
- firewall-cmd --zone=public --add-port=25/tcp --permanent #SMTP
- firewall-cmd --zone=public --add-port=80/tcp --permanent #HTTP
- firewall-cmd --zone=public --add-port=443/tcp --permanent #HTTPS
- firewall-cmd --zone=public --add-port=143/tcp --permanent #IMAP
- firewall-cmd --zone=public --add-port=993/tcp --permanent #IMAPS
- firewall-cmd --zone=public --add-port=110/tcp --permanent #POP3
- firewall-cmd --zone=public --add-port=995/tcp --permanent #POP3S
- firewall-cmd --zone=public --add-port=587/tcp --permanent #Submission
- firewall-cmd --zone=public --add-port=465/tcp --permanent #SMTPS
- firewall-cmd --reload
- TODO - Copy firewalld configuration from old server to new server
- Install and configure fail2ban by referring CentOS 7.x fail2ban
- If custom SSL certificates were used edit /etc/httpd/conf.d/ssl.conf with
- SSLCertificateFile /etc/httpd/conf/ssl.crt
- SSLCertificateKeyFile /etc/httpd/conf/ssl.key
- SSLCACertificateFile /etc/httpd/conf/ca-bundle.pem
-
- and copy corresponding files from old server to new server
- Install various packages using:
- If Installing lets-encrypt SSL certificate was used then
- Copy letsencrypt data from old server to new using: (On old server)
- rsync -a /etc/letsencrypt/ root@<new-fqdn>:/etc/letsencrypt/
- Install certbot on new server using: (On new server)
- dnf -y install certbot python3-certbot-apache
- Check cron configuration on old server (On old server)
- crontab -l
- Configure cron entries for automatic SSL renewal same as old server on new server using crontab -e (On new server)
- crontab -e
- Copy letsencrypt data from old server to new using: (On old server)
- Copy account information from old server to new server.
- List user account on old server using
- cat /etc/passwd
- Copy all lines for UID >=500 and append corresponding lines to /etc/passwd on new server.
- The number of lines should match 'ls -1 /home | grep -v lost | wc -l'
- Be watchful for IDs <500 which might appear in between (eg nscd, dovecot)
- Copy /etc/shadow lines of corresponding users from old server to new server
- Copy /etc/group lines of corresponding users from old server to new server
- Do ls -l /home and all user and group names should appear properly (On new server)
- List user account on old server using
- On new server
- dnf -y install logwatch postfix dovecot postfix-pcre
- copy custom aliases from /etc/aliases to new server and update root alias appropriately
- newaliases
- In /etc/hosts add new-<fdqn> <fdqn> against 127.0.0.1
- dnf -y install wget
- Disable selinux (setenforce 0, edit /etc/sysconfig/selinux and set SELINUX=disabled)
- Copy data from old server to new server On old server
- rsync -a /etc/postfix/ root@<new-fqdn>:/etc/postfix/
- rsync -a /etc/dovecot/ root@<new-fqdn>:/etc/dovecot/
- rsync -a /etc/httpd/ root@<new-fqdn>:/etc/httpd/
- rsync -a /var/www/html/ root@<new-fqdn>:/var/www/html/
- rsync -a /etc/php.ini root@<new-fqdn>:/etc/php.ini
- rm /etc/httpd/conf.modules.d/10-php.conf
- On new server
- Start and enable services
- systemctl enable postfix
- systemctl start postfix
- systemctl status postfix
- systemctl enable dovecot
- systemctl start dovecot
- systemctl status dovecot
-
- Based on https://unix.stackexchange.com/questions/595860/ssl-protocols-has-been-replaced-by-ssl-min-protocol if required update configuration in /etc/dovecot/conf.d/10-ssl.conf
- Start and enable services
- Add /etc/hosts entry for new server in laptop and try to open the new server with name and IP.
- Repeat /home/ rsync again after it finishes for a second sync
- ls -l /home on new-server should recognize all usernames and groupnames properly
- During downtime on old server
- Stop httpd, dovecot and postfix
- Again sync /home
- Change production public DNS entries to point to new server. If organization has local private DNS, then perhaps that may also require changes.
- Check updated entries via public DNS servers after waiting for a minute or two
- Manually copy entries from /root/.ssh/authorized_keys of old server to new server
- Comment /etc/host entry in laptop after DNS entry has been changed
- systemctl restart postfix (On new server)
- Before this it listens on 127.0.0.1:25, after this it changes to 0.0.0.0:25
- Install bind-utils, telnet and nc (On new server)
- dnf -y install bind-utils telnet nc
- Add rDNS entry for FQDN to elastic IP in AWS EC2
- Send test email from gmail to server and wait for receiving email on new server
- Send test email from new server to gmail and wait for receiving email on Gmail account
- Stop old server and add reminder to terminate old server after a few days.
- Disassociate elastic IP or static IP of old server after removing its rDNS entry.
- Try to release it. Raise support ticket if AWS support is required to release the elastic IP.
- ssh from backup machine to new server and ensure that new servers SSH keys are recognized preperly
- TODO - Both squirrelmail and roundcube do not seem to be available in default / epel repository on CentOS 8-Stream. Installation of HTTP mail access is pending.
<yambe:breadcrumb>CentOS 8.x email servers|CentOS 8.x email servers</yambe:breadcrumb>