CentOS 8.x migrate CentOS 7.x postfix, dovecot, squirrelmail server

Home > CentOS > CentOS 8.x > CentOS 8.x email servers > CentOS 8.x migrate CentOS 7.x postfix, dovecot, squirrelmail server

There is older article on this at CentOS 7.x migrate CentOS 7.x postfix, dovecot, squirrelmail server

Following steps can be used for migrating a running mail server setup from CentOS 7.x or even CentOS 8.x to CentOS 8.x:

1. Create a new VM/machine/server with necessary resources (Eg t2.micro) in appropriate region and availability zone.
2. Add elastic (static public) IP to instance if not done already
3. Optionally add IPv6 address to instance using Configure AWS CentOS instance to use IPv6
4. In Instance firewall allow ports (22, 25, 80, 443, 143, 993, 110, 995, 587, 465). Or apply security group settings from old server to new server (HTTP, HTTPS, POP3, POP3S, SMTP, SMTPS, IMAP, IMAPS, SSH, Ping)
5. Create /etc/hosts entry for old-<fqdn> and new-<fqdn> servers (On local workstation)
6. SSH to new-<fqdn> as centos user (On new server)
   1. sudo su -
   2. Upgrade distro to CentOS 8-Stream if not done already

      dnf -y install gdisk
      dnf -y swap centos-linux-repos centos-stream-repos
      dnf -y distro-sync
      

   3. dnf -y install epel-release vim
   4. dnf -y install byobu
   5. Allow direct root login with AWS security key pair (155x)
   6. copy self public-key as authorized
   7. Add swap space using CentOS 7.x adding swap space using file
   8. Add history date/time recording using Storing date / time along with commands in history
   9. set desired hostname using:

      hostnamectl set-hostname <new-hostname>

   10. Set correct time zone CentOS 8.x Change system timezone
   11. exit from root and centos
7. Now ssh directly as root user and proceed (On new server)
   1. If new disk is added for /home create required partition and file-system. Then mount the disk or partition on /home as desired
   2. Remember to add /etc/fstab entries for additional partitions or disks.
8. Open ssh to root@old-<fdqn> (On old server)
   1. ssh-keygen
   2. Add /etc/hosts entry in old server for pointing to new server with name (eg new-<fqdn>)
9. Copy keys from old server to new server as authorized
10. On ssh to root@old-<fqdn> (On old server)
    1. Start copy of home folder which might take considerable time

       rsync -aHz --delete /home/ root@new-<fqdn>:/home/

11. On root ssh (On new server)
    1. Install various packages using:

       dnf -y install httpd mod_ssl epel-release php

    2. Install and configure firewalld using (refer CentOS 7.x firewalld)

       dnf -y install firewalld
       
       #In /etc/sysconfig/network-scripts/ifcfg-eth0 append ZONE=public
       
       nmcli networking off; nmcli networking on
       systemctl restart firewalld
       systemctl enable firewalld
       
       firewall-cmd --zone=public --add-port=25/tcp --permanent  #SMTP
       firewall-cmd --zone=public --add-port=80/tcp --permanent  #HTTP
       firewall-cmd --zone=public --add-port=443/tcp --permanent #HTTPS
       
       firewall-cmd --zone=public --add-port=143/tcp --permanent #IMAP
       firewall-cmd --zone=public --add-port=993/tcp --permanent #IMAPS
       firewall-cmd --zone=public --add-port=110/tcp --permanent #POP3
       firewall-cmd --zone=public --add-port=995/tcp --permanent #POP3S
       firewall-cmd --zone=public --add-port=587/tcp --permanent #Submission
       firewall-cmd --zone=public --add-port=465/tcp --permanent #SMTPS
       
       firewall-cmd --reload

    3. TODO - Copy firewalld configuration from old server to new server
    4. Install and configure fail2ban by referring CentOS 7.x fail2ban
    5. If custom SSL certificates were used edit /etc/httpd/conf.d/ssl.conf with

       SSLCertificateFile /etc/httpd/conf/ssl.crt
       SSLCertificateKeyFile /etc/httpd/conf/ssl.key
       SSLCACertificateFile /etc/httpd/conf/ca-bundle.pem

       and copy corresponding files from old server to new server

12. If Installing lets-encrypt SSL certificate was used then
    1. Copy letsencrypt data from old server to new using: (On old server)

       rsync -a /etc/letsencrypt/ root@<new-fqdn>:/etc/letsencrypt/

    2. Install certbot on new server using: (On new server)

       dnf -y install certbot python3-certbot-apache

    3. Check cron configuration on old server (On old server)

       crontab -l

    4. Configure cron entries for automatic SSL renewal same as old server on new server using crontab -e (On new server)

       crontab -e

13. Copy account information from old server to new server.
    1. List user account on old server using

       cat /etc/passwd

    2. Copy all lines for UID >=500 and append corresponding lines to /etc/passwd on new server.

       The number of lines should match 'ls -1 /home | grep -v lost | wc -l'

       Be watchful for IDs <500 which might appear in between (eg nscd, dovecot)

    3. Copy /etc/shadow lines of corresponding users from old server to new server
    4. Copy /etc/group lines of corresponding users from old server to new server
    5. Do ls -l /home and all user and group names should appear properly (On new server)
14. On new server
    1. dnf -y install logwatch postfix dovecot postfix-pcre
    2. copy custom aliases from /etc/aliases to new server and update root alias appropriately
    3. newaliases
    4. In /etc/hosts add new-<fdqn> <fdqn> against 127.0.0.1
    5. dnf -y install wget
    6. Disable selinux (setenforce 0, edit /etc/sysconfig/selinux and set SELINUX=disabled)
15. Copy data from old server to new server On old server

    rsync -a /etc/postfix/ root@<new-fqdn>:/etc/postfix/
    rsync -a /etc/dovecot/ root@<new-fqdn>:/etc/dovecot/
    rsync -a /etc/httpd/ root@<new-fqdn>:/etc/httpd/
    rsync -a /var/www/html/ root@<new-fqdn>:/var/www/html/
    rsync -a /etc/php.ini root@<new-fqdn>:/etc/php.ini
    
    rm /etc/httpd/conf.modules.d/10-php.conf

16. On new server
    1. Start and enable services

       systemctl enable postfix
       systemctl start postfix
       systemctl status postfix
       
       systemctl enable dovecot
       systemctl start dovecot
       systemctl status dovecot

       Based on https://unix.stackexchange.com/questions/595860/ssl-protocols-has-been-replaced-by-ssl-min-protocol if required update configuration in /etc/dovecot/conf.d/10-ssl.conf

17. Add /etc/hosts entry for new server in laptop and try to open the new server with name and IP.
18. Repeat /home/ rsync again after it finishes for a second sync
19. ls -l /home on new-server should recognize all usernames and groupnames properly
20. During downtime on old server
    1. Stop httpd, dovecot and postfix
    2. Again sync /home
21. Change production public DNS entries to point to new server. If organization has local private DNS, then perhaps that may also require changes.
22. Check updated entries via public DNS servers after waiting for a minute or two
23. Manually copy entries from /root/.ssh/authorized_keys of old server to new server
24. Comment /etc/host entry in laptop after DNS entry has been changed
25. systemctl restart postfix (On new server)

    Before this it listens on 127.0.0.1:25, after this it changes to 0.0.0.0:25

26. Install bind-utils, telnet and nc (On new server)

    dnf -y install bind-utils telnet nc

27. Add rDNS entry for FQDN to elastic IP in AWS EC2
28. Send test email from gmail to server and wait for receiving email on new server
29. Send test email from new server to gmail and wait for receiving email on Gmail account
30. Stop old server and add reminder to terminate old server after a few days.
31. Disassociate elastic IP or static IP of old server after removing its rDNS entry.
32. Try to release it. Raise support ticket if AWS support is required to release the elastic IP.
33. ssh from backup machine to new server and ensure that new servers SSH keys are recognized preperly
34. Instead of squirrelmail we would setup roundcube using: CentOS 8.x Roundcube

Home > CentOS > CentOS 8.x > CentOS 8.x email servers > CentOS 8.x migrate CentOS 7.x postfix, dovecot, squirrelmail server