Email services migration to new server

Migration summary and rough timing

• Phase 0 – Discovery on old server

• Identified stack: Postfix 2.11 + Courier (IMAP/POP3), MySQL virtual users, Amavis/SpamAssassin, OpenDKIM, Let’s Encrypt, vmail in /home/vmail, UID/GID 5000.

• Time: ~20–30 min (multiple command outputs shared)

• Phase 1 – New server prep (osuhel, Ubuntu 22.04)

• Installed packages (Postfix, Dovecot, MySQL/MariaDB present), created vmail user, created mail DB, restored mailboxes.

• Time: ~30–45 min (package checks/install + user/db setup)

• Phase 2 – Data migration

• Pruned large inactive domains, re-dumped DB, rsynced tarball and SQL, restored on new server; created tables when initial dump missed structure.

• Time: ~40–60 min (cleanup + transfer + restore)

• Phase 3 – Postfix configuration

• Set virtual MySQL maps, inet_interfaces=all, submission (587), TLS, SASL via Dovecot; fixed map file permissions.

• Time: ~20–30 min

• Phase 4 – Dovecot configuration (replacing Courier)

• SQL auth, maildir paths, LMTP integration, enabled protocols; installed lmtpd package; created LMTP socket; verified IMAP/POP3.

• Time: ~30–40 min

• Phase 5 – SSL certificates

• Obtained Let’s Encrypt via DNS challenge (no HTTP since DNS still pointed to old server); applied to Postfix and Dovecot.

• Time: ~15–25 min

• Phase 6 – Testing local mail flow

• Delivered local test messages via LMTP into Maildir; IMAP manual login via telnet; confirmed delivery.

• Time: ~15–20 min

• Phase 7 – Amavis/SpamAssassin/ClamAV

• Fixed Amavis FQDN (05-node_id), freshclam/clamd status, started services, added content_filter + master.cf transports; verified scanning.

• Time: ~30–40 min

• Phase 8 – OpenDKIM

• Restored keys, adjusted KeyTable/SigningTable/TrustedHosts (added zajezka.sk, corrected carymary selector), configured opendkim.conf, wired Postfix milters, verified opendkim-testkey, observed signing in headers.

• Time: ~30–40 min

• Phase 9 – Client testing and DNS

• Configured Apple Mail against IP/hostname; SMTP auth and IMAP/POP3 tested; then updated A for mail.nabezky.sk; verified services listening and auth.

• Time: ~20–30 min

• Phase 10 – IPv6 PTR issue with Gmail

• Gmail rejected via IPv6 (no PTR); confirmed IPv4 PTR OK, IPv6 PTR missing; applied temporary fix inet_protocols=ipv4 in Postfix; plan to request IPv6 PTR from ISP.

• Time: ~10–15 min

• Phase 11 – Password security migration

• Switched from plaintext to SHA256-CRYPT:

• Altered users.password to VARCHAR(255)

• Hashed all passwords with doveadm pw

• Set default_pass_scheme = SHA256-CRYPT

• Verified auth with hashed passwords

• Time: ~25–35 min

• Phase 12 – Old server (vps) reconfigured as relay

• Set relayhost to osuhel, switched to port 25 (587 refused/unauth), added vps IP to osuhel mynetworks, handled Fail2Ban checks, confirmed relaying and delivery.

• Time: ~25–35 min

• Phase 13 – Logging cleanup

• Disabled Dovecot auth debug verbosity.

• Time: ~5–10 min

End state

• Postfix+Dovecot on osuhel serving all domains; MySQL-backed virtual users; LMTP; TLS with Let’s Encrypt; Amavis/SpamAssassin/ClamAV; OpenDKIM signing; clients working; vps relays to osuhel; passwords securely hashed (SHA256-CRYPT).

• Temporary: Postfix using IPv4 only until IPv6 PTR (2a03:3b40:101:a0::1 → osuhel.nabezky.sk) is set by ISP.

Estimated total hands-on time: ~4.5–6 hours (including back-and-forth and verification).