Work report

Migrácia e-mailových služieb na nový server

Author: 
sano 
9 327
Project: 
Na bežky! web application
Date: 
10/29/2025 - 07:00
Time worked: 
5hrs
Reward this work  
Work Evidence Source: 
Web Address: 
https://mxtoolbox.com/SuperTool.aspx?action=mx%3amail.nabezky.sk&run=toolpage#

I moved the mail server applications from the old server 37.205.11.79 to the new one 37.205.11.220, because the old one runs an unsupported version of the Ubuntu operating system.

Migration summary and rough timing

  • Phase 0 – Discovery on old server
  • Identified stack: Postfix 2.11 + Courier (IMAP/POP3), MySQL virtual users, Amavis/SpamAssassin, OpenDKIM, Let’s Encrypt, vmail in /home/vmail, UID/GID 5000.
  • Time: ~20–30 min (multiple command outputs shared)
  • Phase 1 – New server prep (osuhel, Ubuntu 22.04)
  • Installed packages (Postfix, Dovecot, MySQL/MariaDB present), created vmail user, created mail DB, restored mailboxes.
  • Time: ~30–45 min (package checks/install + user/db setup)
  • Phase 2 – Data migration
  • Pruned large inactive domains, re-dumped DB, rsynced tarball and SQL, restored on new server; created tables when initial dump missed structure.
  • Time: ~40–60 min (cleanup + transfer + restore)
  • Phase 3 – Postfix configuration
  • Set virtual MySQL maps, inet_interfaces=all, submission (587), TLS, SASL via Dovecot; fixed map file permissions.
  • Time: ~20–30 min
  • Phase 4 – Dovecot configuration (replacing Courier)
  • SQL auth, maildir paths, LMTP integration, enabled protocols; installed lmtpd package; created LMTP socket; verified IMAP/POP3.
  • Time: ~30–40 min
  • Phase 5 – SSL certificates
  • Obtained Let’s Encrypt via DNS challenge (no HTTP since DNS still pointed to old server); applied to Postfix and Dovecot.
  • Time: ~15–25 min
  • Phase 6 – Testing local mail flow
  • Delivered local test messages via LMTP into Maildir; IMAP manual login via telnet; confirmed delivery.
  • Time: ~15–20 min
  • Phase 7 – Amavis/SpamAssassin/ClamAV
  • Fixed Amavis FQDN (05-node_id), freshclam/clamd status, started services, added content_filter + master.cf transports; verified scanning.
  • Time: ~30–40 min
  • Phase 8 – OpenDKIM
  • Restored keys, adjusted KeyTable/SigningTable/TrustedHosts (added zajezka.sk, corrected carymary selector), configured opendkim.conf, wired Postfix milters, verified opendkim-testkey, observed signing in headers.
  • Time: ~30–40 min
  • Phase 9 – Client testing and DNS
  • Configured Apple Mail against IP/hostname; SMTP auth and IMAP/POP3 tested; then updated A for mail.nabezky.sk; verified services listening and auth.
  • Time: ~20–30 min
  • Phase 10 – IPv6 PTR issue with Gmail
  • Gmail rejected via IPv6 (no PTR); confirmed IPv4 PTR OK, IPv6 PTR missing; applied temporary fix inet_protocols=ipv4 in Postfix; plan to request IPv6 PTR from ISP.
  • Time: ~10–15 min
  • Phase 11 – Password security migration
  • Switched from plaintext to SHA256-CRYPT:
  • Altered users.password to VARCHAR(255)
  • Hashed all passwords with doveadm pw
  • Set default_pass_scheme = SHA256-CRYPT
  • Verified auth with hashed passwords
  • Time: ~25–35 min
  • Phase 12 – Old server (vps) reconfigured as relay
  • Set relayhost to osuhel, switched to port 25 (587 refused/unauth), added vps IP to osuhel mynetworks, handled Fail2Ban checks, confirmed relaying and delivery.
  • Time: ~25–35 min
  • Phase 13 – Logging cleanup
  • Disabled Dovecot auth debug verbosity.
  • Time: ~5–10 min

End state

  • Postfix+Dovecot on osuhel serving all domains; MySQL-backed virtual users; LMTP; TLS with Let’s Encrypt; Amavis/SpamAssassin/ClamAV; OpenDKIM signing; clients working; vps relays to osuhel; passwords securely hashed (SHA256-CRYPT).

Estimated total hands-on time: ~4.5–6 hours (including back-and-forth and verification).


Edit  Delete  Verify