Version 2 - Historique - HowTo Mail Backup - Ikujam - tetaneutral.net

HowTo Mail Backup - Ikujam » Historique » Version 2

iku jam, 29/01/2012 20:33

 iku jam
-iku jam
+h2. Presentation
 iku jam
-iku jam
+several projects with mail servers
-iku jam
+request of certain stability, needed documentation
-iku jam
+free software user, activist and contributor
-iku jam
+idea is to produce a complete test environment with vms on a single machine
 iku jam
-iku jam
+CC-NC-SA
 iku jam
 iku jam
-iku jam
+h2. Requirements
 iku jam
-iku jam
+to follow you need some linux admin skills:
 iku jam
-iku jam
+* basic shell (bash)
-iku jam
+* at least basic knowledge of debian package system (install & setup packages with apt-get, manage services)
-iku jam
+* able to setup ssh public key authentication
-iku jam
+* i don't like nano, feel free to use it - or another editor - instead of vi
 iku jam
 iku jam
-iku jam
+h3. Host system
 iku jam
-iku jam
+* debian
-iku jam
+* qemu-kvm
-iku jam
+* bind
 iku jam
-iku jam
+This howto uses
 iku jam
-iku jam
+ # cat /etc/debian_version
-iku jam
+ wheezy/sid
-iku jam
+ # uname -a
-iku jam
+ Linux master 3.1.0-1-amd64 #1 SMP Sun Dec 11 20:36:41 UTC 2011 x86_64 GNU/Linux
 iku jam
-iku jam
+h3. Mail Server VMs
 iku jam
-iku jam
+* debian
-iku jam
+* debian packages for the different software
 iku jam
 iku jam
-iku jam
+ root@mail1:~# echo "mail1" > /etc/hostname
-iku jam
+ root@mail1:~# apt-get install inotify-tools rsync openssh-server pgpool  javascript-common apache2 libapache2-mod-php5  roundcube postgresql postfix postfix-pgsql mailman roundcube-pgsql libc-client2007e mlock php5-imap postgrey courier-authlib-postgresql sasl2-bin courier-authdaemon  libsasl2-modules-sql courier-imap-ssl --no-install-recommends
 iku jam
-iku jam
+* use default options for roundcube, courier & mailman  for now
-iku jam
+** ident authentication
-iku jam
+** dbconfig
-iku jam
+** pgsql as database choice
-iku jam
+** mailman language as you prefer
 iku jam
-iku jam
+* install postfixadmin :
 iku jam
-iku jam
+ root@mail1:~# lynx 'http://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-2.3.4/postfixadmin_2.3.4_all.deb'
 iku jam
-iku jam
+* use default options for now
 iku jam
 iku jam
-iku jam
+* just as of personal habit, some tools i use
 iku jam
-iku jam
+ root@mail1:~# apt-get install lynx less mc vim
 iku jam
 iku jam
-iku jam
+ root@mail1:~# cat /etc/debian_version
-iku jam
+ wheezy/sid
-iku jam
+ root@mail1:~# uname -a
-iku jam
+ Linux mail1.test 3.1.0-1-amd64 #1 SMP Tue Jan 10 05:01:58 UTC 2012 x86_64 GNU/Linux
 iku jam
 iku jam
-iku jam
+ root@mail2:~# cat /etc/debian_version
-iku jam
+ wheezy/sid
-iku jam
+ root@mail2:~# uname -a
-iku jam
+ Linux mail2 3.1.0-1-amd64 #1 SMP Fri Dec 23 16:37:11 UTC 2011 x86_64 GNU/Linux
 iku jam
-iku jam
+root@mail2:~# cat /etc/network/interfaces
-iku jam
+# This file describes the network interfaces available on your system
-iku jam
+# and how to activate them. For more information, see interfaces(5).
 iku jam
-iku jam
+# The loopback network interface
-iku jam
+auto lo
-iku jam
+iface lo inet loopback
 iku jam
-iku jam
+# The primary network interface
-iku jam
+allow-hotplug eth0
-iku jam
+iface eth0 inet static
-iku jam
+        address 192.168.122.3
-iku jam
+        netmask 255.255.255.0
-iku jam
+        network 192.168.122.0
-iku jam
+        broadcast 192.168.122.255
-iku jam
+        gateway 192.168.122.1
 iku jam
 iku jam
-iku jam
+h2. dns setup on host
 iku jam
 iku jam
-iku jam
+root@quadebian:/etc/bind# cat  db.192.168.122
 iku jam
-iku jam
+; BIND reverse data file for test
 iku jam
-iku jam
+$TTL	604800
-iku jam
+@	IN	SOA	master.test. root.master.test. (
-iku jam
+		; Serial
-iku jam
+		; Refresh
-iku jam
+		; Retry
-iku jam
+			2419200		; Expire
-iku jam
+)	; Negative Cache TTL
 iku jam
-iku jam
+@	IN	NS	master.test.
-iku jam
+	IN	PTR	master.test.
-iku jam
+	IN	PTR	mail1.test.
-iku jam
+	IN	PTR	mail2.test.
 iku jam
 iku jam
-iku jam
+root@quadebian:/etc/bind# cat  db.test
 iku jam
-iku jam
+; BIND data file for test
 iku jam
-iku jam
+$TTL	604800
-iku jam
+@	IN	SOA	master.test. info.master.test. (
-iku jam
+		; Serial
-iku jam
+		; Refresh
-iku jam
+		; Retry
-iku jam
+			2419200		; Expire
-iku jam
+)	; Negative Cache TTL
 iku jam
-iku jam
+@	IN	NS	master.test.
-iku jam
+test.	IN	MX	10	mail1.test.
-iku jam
+test.	IN	MX	20	mail2.test.
 iku jam
-iku jam
+master	IN	A	192.168.122.1
-iku jam
+mail1	IN	A	192.168.122.2
-iku jam
+mail2	IN	A	192.168.122.3
 iku jam
-iku jam
+root@quadebian:/etc/bind# named-checkzone test db.test
-iku jam
+zone test/IN: loaded serial 2
-iku jam
+OK
 iku jam
 iku jam
-iku jam
+* pass kvm dns server in forward mode on host node (default net config)
 iku jam
-iku jam
+root@quadebian:/etc/bind# virsh
-iku jam
+Welcome to virsh, the virtualization interactive terminal.
 iku jam
-iku jam
+Type:  'help' for help with commands
-iku jam
+       'quit' to quit
 iku jam
-iku jam
+virsh # net-dumpxml default
-iku jam
+<network>
-iku jam
+  <name>default</name>
-iku jam
+  <uuid>0529cc34-c2ad-9663-0f42-5b338b14a6e4</uuid>
-iku jam
+  <forward mode='nat'/>
-iku jam
+  <bridge name='virbr0' stp='on' delay='0' />
-iku jam
+  <mac address='52:54:00:37:85:D8'/>
-iku jam
+  <ip address='192.168.122.1' netmask='255.255.255.0'>
-iku jam
+    <dhcp>
-iku jam
+      <range start='192.168.122.2' end='192.168.122.254' />
-iku jam
+    </dhcp>
-iku jam
+  </ip>
-iku jam
+</network>
 iku jam
 iku jam
-iku jam
+h3. vm dns config
 iku jam
-iku jam
+* change requires to reaffect NICs via virt-manager
-iku jam
+** remove nic (and /etc/udev/rules.d/70-persistent-net.rules - it keeps track of different nics on the system, avoids getting eth2/3/4...)
-iku jam
+** create new nic on default network
-iku jam
+** reboot vm
-iku jam
+** test connectivity & bind (set nameserver to 192.168.122.1 in /etc/resolv.conf)
 iku jam
-iku jam
+h3. tests to do
 iku jam
-iku jam
+* open http://mail1.test/roundcube & http://mail1.test/postfixadmin in a browser
-iku jam
+** roundcube -> 404
-iku jam
+** postfixadmin -> ok
-iku jam
+* dns
 iku jam
-iku jam
+root@quadebian:/etc/bind# dig mx test
 iku jam
-iku jam
+; <<>> DiG 9.7.3 <<>> mx test
-iku jam
+;; global options: +cmd
-iku jam
+;; Got answer:
-iku jam
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26405
-iku jam
+;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 3
 iku jam
-iku jam
+;; QUESTION SECTION:
-iku jam
+;test.				IN	MX
 iku jam
-iku jam
+;; ANSWER SECTION:
-iku jam
+test.			604800	IN	MX	20 mail2.test.
-iku jam
+test.			604800	IN	MX	10 mail1.test.
 iku jam
-iku jam
+;; AUTHORITY SECTION:
-iku jam
+test.			604800	IN	NS	master.test.
 iku jam
-iku jam
+;; ADDITIONAL SECTION:
-iku jam
+mail1.test.		604800	IN	A	192.168.122.2
-iku jam
+mail2.test.		604800	IN	A	192.168.122.3
-iku jam
+master.test.		604800	IN	A	192.168.122.1
 iku jam
-iku jam
+;; Query time: 2 msec
-iku jam
+;; SERVER: 10.11.12.126#53(10.11.12.126)
-iku jam
+;; WHEN: Tue Jan 24 09:55:25 2012
-iku jam
+;; MSG SIZE  rcvd: 135
 iku jam
 iku jam
 iku jam
 iku jam
-iku jam
+h2. Server configuration
 iku jam
-iku jam
+h3. postfix
 iku jam
-iku jam
+root@mail2:/etc/postfix# mv main.cf main.cf.debian
-iku jam
+root@mail2:/etc/postfix# vi  main.cf
-iku jam
+root@mail2:/etc/postfix# mkdir pgsql
-iku jam
+root@mail2:/etc/postfix# vi pgsql/virtual_alias_maps.cf
-iku jam
+root@mail2:/etc/postfix# vi pgsql/virtual_domain_maps.cf
-iku jam
+root@mail2:/etc/postfix# vi pgsql/relay_domains.cf
-iku jam
+root@mail2:/etc/postfix# vi pgsql/virtual_mailbox_limits.cf
-iku jam
+root@mail2:/etc/postfix# vi pgsql/virtual_mailbox_maps.cf
-iku jam
+root@mail2:/etc/courier# vi /etc/mailname
-iku jam
+root@mail2:/etc/courier# cat /etc/postfix/transport
-iku jam
+lists.test mailman:
-iku jam
+root@mail2:/etc/courier# postmap  /etc/postfix/transport
-iku jam
+root@mail2:/etc/postfix# scp -r . mail1.test:/etc/postfix/
 iku jam
 iku jam
-iku jam
+root@mail1:/etc/postfix# vi  main.cf
-iku jam
+# change following line :
-iku jam
+mydestination = test,mail1.test,localhost.test, localhost
 iku jam
-iku jam
+h3. saslauthd
 iku jam
-iku jam
+* change /etc/default/saslauthd
 iku jam
-iku jam
+ START=yes
-iku jam
+ MECHANISMS="rimap"
-iku jam
+ OPTIONS="-c -r -O localhost -m /var/run/saslauthd"
 iku jam
 iku jam
-iku jam
+h3. postfixadmin
 iku jam
-iku jam
+*Only on mail1* : mail2 will be synced through logshipping/PITR ;)
 iku jam
-iku jam
+* open
 iku jam
-iku jam
+http://mail1.test/postfixadmin/setup.php
 iku jam
-iku jam
+* set password and replace specified line in /etc/postfixadmin/config.inc.php :
 iku jam
-iku jam
+ $CONF['setup_password'] = 'changeme';
 iku jam
-iku jam
+* create superadmin account using a local or valid email address (if you have internet access)
 iku jam
-iku jam
+* modify /usr/share/postfixadmin/functions.inc.php
-iku jam
+** this is in order to allow local domains, e.g. @.test@
 iku jam
-iku jam
+_lignes 232++_
 iku jam
-iku jam
+<pre>
-iku jam
+    if (!preg_match ('/^([-0-9A-Z]+\.)+' . '([0-9A-Z]){2,6}$/i', ($domain)))
 iku jam
-iku jam
+    if (!preg_match ('/^([-0-9A-Z]){3,16}$/i', ($domain)))
 iku jam
-iku jam
+        flash_error(sprintf($PALANG['pInvalidDomainRegex'], htmlentities($domain)));
-iku jam
+        return false;
 iku jam
 iku jam
-iku jam
+</pre>
 iku jam
 iku jam
 iku jam
-iku jam
+h3. courier
 iku jam
-iku jam
+root@mail1:/etc/courier# vi authdaemonrc
-iku jam
+root@mail2:/etc/courier# mv authpgsqlrc authpgsqlrc.debian
-iku jam
+root@mail2:/etc/courier# vi authpgsqlrc
-iku jam
+root@mail2:/etc/courier# mv imapd imapd.debian
-iku jam
+root@mail2:/etc/courier# vi  imapd
-iku jam
+root@mail2:/etc/courier# mv imapd-ssl imapd-ssl.debian
-iku jam
+root@mail2:/etc/courier# vi  imapd-ssl
 iku jam
 iku jam
-iku jam
+h3. roundcube
 iku jam
-iku jam
+* activate webapp
-iku jam
+** uncomment two alias directives inside /etc/apache2/conf.d/roundcube
-iku jam
+** adapt config :
 iku jam
-iku jam
+ $rcmail_config['default_host'] = 'localhost';
-iku jam
+ $rcmail_config['smtp_server'] = 'localhost';
 iku jam
-iku jam
+* /etc/init.d/apache2 reload
 iku jam
-iku jam
+h3. ssh
 iku jam
-iku jam
+* generate pair of keys on mail1 & mail2
 iku jam
-iku jam
+# su mail
-iku jam
+$ bash
-iku jam
+mail@mail2:/etc/postfix$ ssh-keygen
-iku jam
+Generating public/private rsa key pair.
-iku jam
+Enter file in which to save the key (/var/mail/.ssh/id_rsa):
-iku jam
+Created directory '/var/mail/.ssh'.
-iku jam
+Enter passphrase (empty for no passphrase):
-iku jam
+Enter same passphrase again:
-iku jam
+Your identification has been saved in /var/mail/.ssh/id_rsa.
-iku jam
+Your public key has been saved in /var/mail/.ssh/id_rsa.pub.
-iku jam
+The key fingerprint is:
-iku jam
+b9:bf:63:05:c0:9f:4f:07:82:d9:fd:79:99:cf:20:20 mail@mail2
-iku jam
+The key's randomart image is:
-iku jam
++--[ RSA 2048]----+
-iku jam
+|       . + .     |
-iku jam
+|        E + o    |
-iku jam
+|         + + o .o|
-iku jam
+|         .+ o =o.|
-iku jam
+|        S  + o +.|
-iku jam
+|         .  o   o|
-iku jam
+|        .  .     |
-iku jam
+|         .o      |
-iku jam
+|         .oo     |
-iku jam
++-----------------+
 iku jam
-iku jam
+* add mail1's public key to mail1's authorized keys
 iku jam
-iku jam
+ mail@mail1:/$ cp /var/mail/.ssh/id_rsa.pub /var/mail/.ssh/authorized_keys
 iku jam
-iku jam
+* add mail1's public key to mail2's authorized keys
 iku jam
-iku jam
+ mail@mail2:/$ vi /var/mail/.ssh/authorized_keys
-iku jam
+ mail@mail2:/$ chmod 0600 /var/mail/.ssh/authorized_keys
 iku jam
-iku jam
+* test connection
 iku jam
-iku jam
+mail@mail1:/etc/courier$ ssh mail2.test
-iku jam
+The authenticity of host 'mail2.test (192.168.122.3)' can't be established.
-iku jam
+ECDSA key fingerprint is cb:a6:dd:64:03:ba:45:61:a3:b8:14:3a:05:89:ab:b3.
-iku jam
+Are you sure you want to continue connecting (yes/no)? yes
-iku jam
+Warning: Permanently added 'mail2.test,192.168.122.3' (ECDSA) to the list of known hosts.
-iku jam
+Linux mail2 3.1.0-1-amd64 #1 SMP Fri Dec 23 16:37:11 UTC 2011 x86_64
 iku jam
-iku jam
+The programs included with the Debian GNU/Linux system are free software;
-iku jam
+the exact distribution terms for each program are described in the
-iku jam
+individual files in /usr/share/doc/*/copyright.
 iku jam
-iku jam
+Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
-iku jam
+permitted by applicable law.
-iku jam
+$ hostname
-iku jam
+mail2
-iku jam
+$ logout
 iku jam
 iku jam
-iku jam
+h3. inotify/rsync
 iku jam
-iku jam
+# gen ssh key for user @mail@ on mail1 & copy public key to mail2
 iku jam
-iku jam
+* create sync script
 iku jam
-iku jam
+mail@mail1:/etc/courier$ vi ~/sync.sh
 iku jam
-iku jam
+<pre>
-iku jam
+#!/bin/sh
-iku jam
+BASEDIR="$1"
-iku jam
+REMOTE_HOST="$2"
-iku jam
+RSYNC_OPTIONS="-rtlavz -e ssh --delete"
 iku jam
 iku jam
-iku jam
+# Initial sync
-iku jam
+rsync ${RSYNC_OPTIONS} ${BASEDIR}/ ${REMOTE_HOST}:${BASEDIR}
 iku jam
-iku jam
+# Wait for events to trigger rsync
-iku jam
+inotifywait --format '%e %w' -e close_write -e move -e create -e delete -qmr $BASEDIR | while read EVENT
-iku jam
+do
-iku jam
+  # Fork off rsync proc to do sync
-iku jam
+rsync  ${RSYNC_OPTIONS} ${BASEDIR}/ ${REMOTE_HOST}:${BASEDIR} &
-iku jam
+done
 iku jam
-iku jam
+</pre>
-iku jam
+root@mail1:/etc/courier# mkdir /var/log/mail
-iku jam
+root@mail1:/etc/courier# chown mail:mail  /var/log/mail
-iku jam
+root@mail1:/etc/courier# vi   /etc/rc.local
 iku jam
-iku jam
+## ajout de la ligne :
 iku jam
-iku jam
+ su mail -l  -c " nohup sh ~/sync.sh /var/mail/ mail2.test  2>&1 >> /var/log/mail/sync.log &"
 iku jam
 iku jam
 iku jam
-iku jam
+root@mail1:/etc/courier# sh  /etc/rc.local
-iku jam
+nohup: ignoring input and redirecting stderr to stdout
-iku jam
+root@mail1:/etc/courier# su mail
-iku jam
+mail@mail1:/etc/courier$ chmod 0700 ~/sync.sh
 iku jam
 iku jam
 iku jam
-iku jam
+h3. postgresql PITR
 iku jam
-iku jam
+# gen ssh key for user @postgres@ on mail1 & copy public key to mail2
 iku jam
 iku jam
-iku jam
+http://www.postgresql.org/docs/8.4/static/continuous-archiving.html
-iku jam
+http://wiki.postgresql.org/wiki/Warm_Standby
 iku jam
-iku jam
+* stop postresql on mail2.test
-iku jam
+* do a full sync of the database
 iku jam
-iku jam
+# su postgres
-iku jam
+$ rsync -a /var/lib/postgresql/9.1/main/ postgres@mail2.test://var/lib/postgresql/9.1/main/
 iku jam
 iku jam
-iku jam
+on mail1 :
 iku jam
-iku jam
+archive_command = 'rsync -a /var/lib/postgresql/9.1/main/%p postgres@mail2.test://var/lib/postgresql/9.1/wal/pg_xlog/%f'
 iku jam
-iku jam
+* restart postgresql
 iku jam
-iku jam
+on mail2 :
 iku jam
-iku jam
+root@mail2:~# mkdir /var/lib/postgresql/9.1/wal
-iku jam
+root@mail2:~# chown postgres:postgres  /var/lib/postgresql/9.1/wal
-iku jam
+root@mail2:/var/lib/postgresql/9.1/main# vi recovery.conf
-iku jam
+restore_command = 'cp /var/lib/postgresql/9.1/wal/pg_xlog/%f "%p"'
 iku jam
-iku jam
+* on first startup,
-iku jam
+* recovery.conf will be renamed to recovery.done after recovery
-iku jam
+** rename recovery.done to recovery.conf and restart postgresql to sync with latest logs from master.
 iku jam
 iku jam
-iku jam
+h2. putting pieces together
 iku jam
-iku jam
+* recover postfixadmin on mail1 password from  @/etc/postfixadmin/config.inc.php@ :
 iku jam
-iku jam
+ $CONF['database_password'] = 'GENERATED PASSWORD';
 iku jam
-iku jam
+* apply it to @/etc/postfixadmin/config.inc.php@ on mail2
 iku jam
-iku jam
+* apply it to the different files (mail1 & mail2):
 iku jam
-iku jam
+ for i in /etc/postfix/pgsql/virtual_alias_maps.cf /etc/postfix/pgsql/virtual_domain_maps.cf /etc/postfix/pgsql/relay_domains.cf /etc/postfix/pgsql/virtual_mailbox_limits.cf /etc/postfix/pgsql/virtual_mailbox_maps.cf ; do   sed -i "s/PASSWORD/GENERATED PASSWORD/"  $i ;  done
 iku jam
-iku jam
+ vi  /etc/courier/authpgsqlrc
 iku jam
-iku jam
+* restart courier authdaemon :
 iku jam
-iku jam
+ /etc/init.d/courier-authdaemon restart
 iku jam
-iku jam
+* create account via postfixadmin
 iku jam
-iku jam
+** login to http://mail1.test/postfixadmin/login.php
-iku jam
+** add domain (Domain list -> new domain)
-iku jam
+*** domain name : "test"
-iku jam
+** add mailbox (Virtual list -> add mailbox)
-iku jam
+* verify domain & mailbox creation
-iku jam
+* send testmail in commandline on master (apt-get install bsd-mailx)
-iku jam
+* verify replication of maildir on mail2
 iku jam
-iku jam
+* roundcube
-iku jam
+** connect on http://mail1.test/roundcube with test@test
-iku jam
+** send test mail to outside (may be rejected/filtered as spam since "test" emaildomain isn't valid, should work with a public MX DNS entry)
 iku jam
 iku jam
-iku jam
+h3. vacation/responder
 iku jam
-iku jam
+root@mail1:~# apt-get install git-core  --no-install-recommends
-iku jam
+root@mail1:~# cd /usr/share/roundcube/plugins/ && git clone https://github.com/bhuisgen/rc-vacation.git vacation
 iku jam
-iku jam
+root@mail1:/usr/share/roundcube/plugins# mkdir /etc/roundcube/plugins/vacation
-iku jam
+root@mail1:/usr/share/roundcube/plugins# ln -s /usr/share/roundcube/plugins/vacation/config.inc.php /etc/roundcube/plugins/vacation/
-iku jam
+root@mail1:/usr/share/roundcube/plugins# cd vacation/
-iku jam
+root@mail1:/usr/share/roundcube/plugins/vacation# cp config.inc.php.dist config.inc.php
-iku jam
+root@mail1:/usr/share/roundcube/plugins/vacation# vi config.inc.php
-iku jam
+root@mail1:/usr/share/roundcube/plugins/vacation# ln -s /usr/share/roundcube/plugins/vacation/ /var/lib/roundcube/plugins/
 iku jam
-iku jam
+* edit /etc/roundcube/main.inc.php
 iku jam
-iku jam
+$rcmail_config['vacation_sql_dsn'] =
-iku jam
+        'pgsql://postfixadmin:PASSWORD@localhost/postfixadmin';
 iku jam
-iku jam
+* test in roundcube settings, you should have a new tab "vacation/rÃ©pondeur"
 iku jam
 iku jam
-iku jam
+h2. failover
 iku jam
-iku jam
+* in case of a failover of mail1, mail2 should be available to receive mails and provide access to all the mails that were on mail1
-iku jam
+** when mail1 comes back up online, it needs to synchronize with mail2 before
-iku jam
+* in case of a failover of mail2, mail1 should not be impacted
 iku jam
 iku jam
-iku jam
+h2. References
 iku jam
-iku jam
+http://chiliproject.tetaneutral.net/projects/tetaneutral/wiki/Serveur_Mail_tetalab
 iku jam
-iku jam
+http://www.kutukupret.com/2011/06/28/postfix-one-way-maildir-replication-backup-using-inotify-and-rsync/
 iku jam
-iku jam
+http://www.postgresql.org/docs/9.1/interactive/continuous-archiving.html

Projet

Général

Profil

HowTo Mail Backup - Ikujam » Historique » Version 2