HowTo Mail Backup - Ikujam¶

• Contenu
• HowTo Mail Backup - Ikujam
  • Presentation
  • Requirements
    • Host system
    • Mail Server VMs
  • dns setup on host
    • vm dns config
    • tests to do
  • Server configuration
    • postfix
    • saslauthd
    • postfixadmin
    • courier
    • roundcube
    • ssh
    • inotify/rsync
    • pgpool
  • putting pieces together
  • References

WIP...

1. Presentation
2. Requirements
3. dns setup on host
   1. master for tld .test
   2. static IPs for vms
4. 2 vms mail1.test mail2.test
   1. postfix
   2. postfixadmin
   3. postgresql
   4. pgpool for postgres replication
   5. inotify-based sync on maildir
   6. roundcube as mail client
   7. mailman as list manager
5. test setup
   1. default case
   2. failover scenario

Presentation¶

several projects with mail servers
request of certain stability, needed documentation
free software user, activist and contributor
idea is to produce a complete test environment with vms on a single machine

CC-NC-SA

Requirements¶

Host system¶

• debian
• qemu-kvm
• bind

This hwtoo uses

1. cat /etc/debian_version
   wheezy/sid
2. uname -a
   Linux master 3.1.0-1-amd64 #1 SMP Sun Dec 11 20:36:41 UTC 2011 x86_64 GNU/Linux

Mail Server VMs¶

• debian
• debian packages for the different software

  root@mail1:~# echo "mail1" > /etc/hostname
  root@mail1:~# apt-get install inotify-tools rsync openssh-server pgpool javascript-common apache2 libapache2-mod-php5 roundcube postgresql postfix postfix-pgsql mailman roundcube-pgsql libc-client2007e mlock php5-imap postgrey courier-authlib-postgresql sasl2-bin courier-authdaemon libsasl2-modules-sql courier-imap-ssl --no-install-recommends

• use default options for roundcube, courier & mailman for now
  • ident authentication
  • dbconfig
  • pgsql as database choice
  • mailman language as you prefer

• install postfixadmin :

  root@mail1:~# lynx 'http://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-2.3.4/postfixadmin_2.3.4_all.deb'

• use default options for now

• just as of personal habit, some tools i use

  root@mail1:~# apt-get install lynx less mc vim

  root@mail1:~# cat /etc/debian_version
  wheezy/sid
  root@mail1:~# uname -a
  Linux mail1.test 3.1.0-1-amd64 #1 SMP Tue Jan 10 05:01:58 UTC 2012 x86_64 GNU/Linux

  root@mail2:~# cat /etc/debian_version
  wheezy/sid
  root@mail2:~# uname -a
  Linux mail2 3.1.0-1-amd64 #1 SMP Fri Dec 23 16:37:11 UTC 2011 x86_64 GNU/Linux

root@mail2:~# cat /etc/network/interfaces

1. This file describes the network interfaces available on your system
2. and how to activate them. For more information, see interfaces(5).

1. The loopback network interface
   auto lo
   iface lo inet loopback

1. The primary network interface
   allow-hotplug eth0
   iface eth0 inet static
   address 192.168.122.3
   netmask 255.255.255.0
   network 192.168.122.0
   broadcast 192.168.122.255
   gateway 192.168.122.1

dns setup on host¶

root@quadebian:/etc/bind# cat db.192.168.122
;
; BIND reverse data file for test
;
$TTL 604800
IN SOA master.test. root.master.test. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
IN NS master.test.
1 IN PTR master.test.
2 IN PTR mail1.test.
3 IN PTR mail2.test.

root@quadebian:/etc/bind# cat db.test
;
; BIND data file for test
;
$TTL 604800
IN SOA master.test. info.master.test. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
IN NS master.test.
test. IN MX 10 mail1.test.
test. IN MX 20 mail2.test.

master IN A 192.168.122.1
mail1 IN A 192.168.122.2
mail2 IN A 192.168.122.3

root@quadebian:/etc/bind# named-checkzone test db.test
zone test/IN: loaded serial 2
OK

• pass kvm dns server in forward mode on host node (default net config)

root@quadebian:/etc/bind# virsh
Welcome to virsh, the virtualization interactive terminal.

Type: 'help' for help with commands
'quit' to quit

virsh # net-dumpxml default
<network>
<name>default</name>
<uuid>0529cc34-c2ad-9663-0f42-5b338b14a6e4</uuid>
<forward mode='nat'/>
<bridge name='virbr0' stp='on' delay='0' />
<mac address='52:54:00:37:85:D8'/>
<ip address='192.168.122.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.122.2' end='192.168.122.254' />
</dhcp>
</ip>
</network>

vm dns config¶

• change requires to reaffect NICs via virt-manager
  • remove nic (and /etc/udev/rules.d/70-persistent-net.rules - it keeps track of different nics on the system, avoids getting eth2/3/4...)
  • create new nic on default network
  • reboot vm
  • test connectivity & bind (set nameserver to 192.168.122.1 in /etc/resolv.conf)

tests to do¶

• open http://mail1.test/roundcube & http://mail1.test/postfixadmin in a browser
  • roundcube -> 404
  • postfixadmin -> ok
• dns

root@quadebian:/etc/bind# dig mx test

; <<>> DiG 9.7.3 <<>> mx test
;; global options: +cmd
;; Got answer:
;; >>HEADER<< opcode: QUERY, status: NOERROR, id: 26405
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 3

;; QUESTION SECTION:
;test. IN MX

;; ANSWER SECTION:
test. 604800 IN MX 20 mail2.test.
test. 604800 IN MX 10 mail1.test.

;; AUTHORITY SECTION:
test. 604800 IN NS master.test.

;; ADDITIONAL SECTION:
mail1.test. 604800 IN A 192.168.122.2
mail2.test. 604800 IN A 192.168.122.3
master.test. 604800 IN A 192.168.122.1

;; Query time: 2 msec
;; SERVER: 10.11.12.126#53(10.11.12.126)
;; WHEN: Tue Jan 24 09:55:25 2012
;; MSG SIZE rcvd: 135

Server configuration¶

postfix¶

root@mail2:/etc/postfix# mv main.cf main.cf.debian
root@mail2:/etc/postfix# vi main.cf
root@mail2:/etc/postfix# mkdir pgsql
root@mail2:/etc/postfix# vi pgsql/virtual_alias_maps.cf
root@mail2:/etc/postfix# vi pgsql/virtual_domain_maps.cf
root@mail2:/etc/postfix# vi pgsql/relay_domains.cf
root@mail2:/etc/postfix# vi pgsql/virtual_mailbox_limits.cf
root@mail2:/etc/postfix# vi pgsql/virtual_mailbox_maps.cf
root@mail2:/etc/courier# vi /etc/mailname
root@mail2:/etc/courier# cat /etc/postfix/transport
lists.test mailman:
root@mail2:/etc/courier# postmap /etc/postfix/transport
root@mail2:/etc/postfix# scp -r . mail1.test:/etc/postfix/

root@mail1:/etc/postfix# vi main.cf

1. change following line :
   mydestination = test,mail1.test,localhost.test, localhost

saslauthd¶

• change /etc/default/saslauthd

  START=yes
  MECHANISMS="rimap"
  OPTIONS="-c -r -O localhost -m /var/run/saslauthd"

postfixadmin¶

Only on mail1 : mail2 will be synced through slony ;)

• open

http://mail1.test/postfixadmin/setup.php

• set password and replace specified line in /etc/postfixadmin/config.inc.php :

  $CONF['setup_password'] = 'changeme';

• create superadmin account using a local or valid email address (if you have internet access)

• modify /usr/share/postfixadmin/functions.inc.php
  • this is in order to allow local domains, e.g. .test

lignes 232++

    if (!preg_match ('/^([-0-9A-Z]+\.)+' . '([0-9A-Z]){2,6}$/i', ($domain)))
    {
    if (!preg_match ('/^([-0-9A-Z]){3,16}$/i', ($domain)))
        {
        flash_error(sprintf($PALANG['pInvalidDomainRegex'], htmlentities($domain)));
        return false;
        }
    }

courier¶

root@mail1:/etc/courier# vi authdaemonrc
root@mail2:/etc/courier# mv authpgsqlrc authpgsqlrc.debian
root@mail2:/etc/courier# vi authpgsqlrc
root@mail2:/etc/courier# mv imapd imapd.debian
root@mail2:/etc/courier# vi imapd
root@mail2:/etc/courier# mv imapd-ssl imapd-ssl.debian
root@mail2:/etc/courier# vi imapd-ssl

roundcube¶

• activate webapp
  • uncomment two alias directives inside /etc/apache2/conf.d/roundcube
  • adapt config :

    $rcmail_config['default_host'] = 'localhost';
    $rcmail_config['smtp_server'] = 'localhost';

• /etc/init.d/apache2 reload

ssh¶

• generate pair of keys on mail1 & mail2

1. su mail
   $ bash
   mail@mail2:/etc/postfix$ ssh-keygen
   Generating public/private rsa key pair.
   Enter file in which to save the key (/var/mail/.ssh/id_rsa):
   Created directory '/var/mail/.ssh'.
   Enter passphrase (empty for no passphrase):
   Enter same passphrase again:
   Your identification has been saved in /var/mail/.ssh/id_rsa.
   Your public key has been saved in /var/mail/.ssh/id_rsa.pub.
   The key fingerprint is:
   b9:bf:63:05:c0:9f:4f:07:82:d9:fd:79:99:cf:20:20 mail@mail2
   The key's randomart image is:
   -[ RSA 2048]--- | . + . | | E + o | | + + o .o| | .+ o =o.| | S + o +.| | . o o| | . . | | .o | | .oo |
   ---------------

• add mail1's public key to mail1's authorized keys

  mail@mail1:/$ cp /var/mail/.ssh/id_rsa.pub /var/mail/.ssh/authorized_keys

• add mail1's public key to mail2's authorized keys

  mail@mail2:/$ vi /var/mail/.ssh/authorized_keys
  mail@mail2:/$ chmod 0600 /var/mail/.ssh/authorized_keys

• test connection

mail@mail1:/etc/courier$ ssh mail2.test
The authenticity of host 'mail2.test (192.168.122.3)' can't be established.
ECDSA key fingerprint is cb:a6:dd:64:03:ba:45:61:a3:b8:14:3a:05:89:ab:b3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'mail2.test,192.168.122.3' (ECDSA) to the list of known hosts.
Linux mail2 3.1.0-1-amd64 #1 SMP Fri Dec 23 16:37:11 UTC 2011 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
$ hostname
mail2
$ logout

inotify/rsync¶

• create sync script

mail@mail1:/etc/courier$ vi ~/sync.sh

#!/bin/sh
BASEDIR="$1" 
REMOTE_HOST="$2" 
RSYNC_OPTIONS="-rtlavz -e ssh --delete" 

# Initial sync
rsync ${RSYNC_OPTIONS} ${BASEDIR}/ ${REMOTE_HOST}:${BASEDIR}

# Wait for events to trigger rsync
inotifywait --format '%e %w' -e close_write -e move -e create -e delete -qmr $BASEDIR | while read EVENT
do
  # Fork off rsync proc to do sync
rsync  ${RSYNC_OPTIONS} ${BASEDIR}/ ${REMOTE_HOST}:${BASEDIR} &
done

su mail -l -c " nohup sh ~/sync.sh /var/mail/ mail2.test 2>&1 >> /var/log/mail/sync.log &"

root@mail1:/etc/courier# sh /etc/rc.local
nohup: ignoring input and redirecting stderr to stdout

mail@mail1:/etc/courier$ chmod 0700 ~/sync.sh
mail@mail1:~$ sh sync.sh /var/mail/ mail2.test

root@mail1:/etc/courier# mkdir /var/log/mail
root@mail1:/etc/courier# chown mail:mail /var/log/mail
root@mail1:/etc/courier# vi /etc/rc.local

pgpool¶

TODO

putting pieces together¶

• recover postfixadmin password from /etc/postfixadmin/config.inc.php :

  $CONF['database_password'] = 'GENERATED PASSWORD';

• apply it to the different files :

  for i in /etc/postfix/pgsql/virtual_alias_maps.cf /etc/postfix/pgsql/virtual_domain_maps.cf /etc/postfix/pgsql/relay_domains.cf /etc/postfix/pgsql/virtual_mailbox_limits.cf /etc/postfix/pgsql/virtual_mailbox_maps.cf ; do sed -i "s/PASSWORD/GENERATED PASSWORD/" $i ; done

  vi /etc/courier/authpgsqlrc

• restart courier authdaemon :

  /etc/init.d/courier-authdaemon restart

• create account via postfixadmin

• login to http://mail1.test/postfixadmin/login.php
• add domain (Domain list -> new domain)
  • domain name : "test"
• add mailbox (Virtual list -> add mailbox)

• verify domain & mailbox creation
• send testmail in commandline on master (apt-get install bsd-mailx)
• verify replication of maildir on mail2

• roundcube
  • connect on http://mail1.test/roundcube with test@test
  • send test mail to outside

References¶

http://chiliproject.tetaneutral.net/projects/tetaneutral/wiki/Serveur_Mail_tetalab

http://www.kutukupret.com/2011/06/28/postfix-one-way-maildir-replication-backup-using-inotify-and-rsync/

http://www.pgpool.net/pgpool-web/contrib_docs/pgpool-II_for_beginners.pdf