Mountpoint      Capacity Filesystem Device type
*************************************************************
/home           300 GB   xfs        LVM
/var/spool/mail 300 GB   xfs        LVM
/               130 GB   xfs        LVM
/boot           3.99 GB  xfs        Standard
SWAP            16 GB    swap       LVM

[x] Server with GUI
    [x] Debugging Tools
    [x] Guest Agents
    [x] Performance Tools
    [x] Graphical Administation Tools
    [x] Security Tools
    [x] System Tools
[x] Workstation
    [x] Legacy UNIX Compatibility
[x] Custom Operating System
    [x] Development Tools

[root@mail ~]# cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

[root@mail ~]# shutdown -r now

[root@mail ~]# dnf config-manager --set-enabled powertools
[root@mail ~]# yum install epel-release
[root@mail ~]# yum install drpm

[root@mail ~]# yum update
[root@mail ~]# shutdown -r now

[root@mail ~]# systemctl stop firewalld
[root@mail ~]# systemctl disable firewalld

[root@mail ~]# wget http://prdownloads.sourceforge.net/webadmin/webmin-1.979-1.noarch.rpm
[root@mail ~]# yum -y install perl perl-Net-SSLeay openssl perl-IO-Tty perl-Encode-Detect
[root@mail ~]# yum install webmin-1.979-1.noarch.rpm

[root@mail ~]# wget http://prdownloads.sourceforge.net/webadmin/usermin-1.823-1.noarch.rpm[root@mail ~]# yum install usermin-1.823-1.noarch.rpm

[root@mail ~]# systemctl start webmin
[root@mail ~]# systemctl enable webmin

[root@mail ~]# systemctl start usermin
[root@mail ~]# systemctl enable usermin

[root@mail ~]# yum install openssl openssl-devel

[root@mail ~]# systemctl stop postfix
[root@mail ~]# yum remove postfix

[root@mail ~]# yum install sendmail sendmail-cf cyrus-sasl-plain
[root@mail ~]# systemctl enable sendmail
[root@mail ~]# systemctl start sendmail
[root@mail ~]# systemctl enable saslauthd
[root@mail ~]# systemctl start saslauthd

[root@mail ~]# yum install spamassassin
[root@mail ~]# systemctl enable spamassassin
[root@mail ~]# systemctl start spamassassin

[root@mail ~]# yum install dovecot
[root@mail ~]# systemctl enable dovecot
[root@mail ~]# systemctl start dovecot

[root@mail ~]# yum install mariadb mariadb-server mariadb-backup boost-program-options
[root@mail ~]# systemctl enable mariadb
[root@mail ~]# systemctl start mariadb

[root@mail ~]# yum install httpd mod_ssl
[root@mail ~]# systemctl enable httpd
[root@mail ~]# systemctl start httpd

[root@mail ~]# yum install bind bind-utils
[root@mail ~]# systemctl enable named
[root@mail ~]# systemctl start named

[root@mail ~]# yum install mailx
[root@mail ~]# yum install dos2linux
[root@mail ~]# yum install fetchmail

[root@mail ~]# mkdir /etc/pki/tls/certs/2021
[root@mail ~]# cd /etc/pki/tls/certs/2021
[root@mail ~]# mkdir cert; mkdir crl; mkdir inter; mkdir key

[root@mail ~]# scp /etc/pki/tls/certs/2021/cert/netcult.ch.pem root@10.0.1.33:/etc/pki/tls/certs/2021/cert/
[root@mail ~]# scp /etc/pki/tls/certs/2021/cert/netcult.ch.sendmail.pem root@10.0.1.33:/etc/pki/tls/certs/2021/cert/
[root@mail ~]# scp /etc/pki/tls/certs/2021/crl/dvcasha2.crl root@10.0.1.33:/etc/pki/tls/certs/2021/crl/
[root@mail ~]# scp /etc/pki/tls/certs/2021/inter/inter.pem root@10.0.1.33:/etc/pki/tls/certs/2021/inter/
[root@mail ~]# scp /etc/pki/tls/certs/2021/key/netcult.ch.sendmail.key root@10.0.1.33:/etc/pki/tls/certs/2021/key/
[root@mail ~]# scp /etc/pki/tls/certs/2021/key/netcult.ch.key root@10.0.1.33:/etc/pki/tls/certs/2021/key/

[root@mail ~]# chmod 600 /etc/pki/tls/certs/2021/key/netcult.ch.sendmail.key

[root@mail ~]# cd /etc/pki/tls/certs/2021/crl/
[root@mail ~]# ll
-rw-r--r-- 1 root root 174780 May 13 13:45 dvcasha2.crl

[root@mail ~]# cd /etc/pki/tls/certs/2021/inter/
[root@mail ~]# ll
-rw-r--r-- 1 root root 1754 May 26 14:30 inter.pem

[root@mail ~]# cd /etc/pki/tls/certs/2021/key/
[root@mail ~]# ll
-rw-r--r-- 1 root root 1704 May 27 15:21 netcult.ch.key
-rw------- 1 root mail 1704 May 27 15:21 netcult.ch.sendmail.key

[root@mail ~]# vi /etc/mail/sendmail.mc

dnl # default logging level is 9, you might want to set it higher to
dnl # debug the configuration.
dnl #
define(`confLOG_LEVEL', `14')dnl
(..)
define(`confAUTH_OPTIONS', `A')dnl
dnl #
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
dnl define(`confAUTH_OPTIONS', `A p')dnl
dnl #
dnl # which realm to use in SASL database (sasldb2)
dnl #
define(`confAUTH_REALM', `mail')dnl
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl # Please remember that saslauthd needs to be running for AUTH.
dnl #
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS',`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
(..)
dnl #
dnl # Basic sendmail TLS configuration with self-signed certificate for
dnl # inbound SMTP (and also opportunistic TLS for outbound SMTP).
dnl #
define(`confCACERT_PATH',`/etc/pki/tls/certs')
define(`confCACERT',`/etc/pki/tls/certs/ca-bundle.trust.crt')
define(`confSERVER_CERT',`/etc/pki/tls/certs/2021/cert/netcult.ch.sendmail.pem')
define(`confSERVER_KEY',`/etc/pki/tls/certs/2021/key/netcult.ch.sendmail.key')
define(`confCRL',`/etc/pki/tls/certs/2021/crl/dvcasha2.crl')
define(`confTLS_SRV_OPTIONS', `V')dnl
LOCAL_CONFIG
dnl # Do not allow weak SSL/TLS protocols and cipher algorythms
O CipherList=HIGH:!ADH-DES-CBC3-SHA:!ADH-AES128-SHA:!ADH-AES256-SHA:!ADH-CAMELLIA128-SHA:!ADH-CAMELLIA256-SHA:!DH-AES128-SHA256:!DH-AES256-SHA256:!aNULL:!DES:!3DES:!MD5:!DES+MD5:!RC4
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
(..)
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
(..)
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.
dnl #
DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
(..)
dnl # Add some dns blacklist checks
dnl #
dnl # Disabled blackist sites
dnl # FEATURE(`dnsbl',`sbl-xbl.spamhaus.org')dnl
dnl # FEATURE(`dnsbl',`bl.spamcop.net')dnl
dnl # FEATURE(`dnsbl',`cbl.abuseat.org')dnl
dnl # FEATURE(`dnsbl',`dnsbl.justspam.org')dnl
dnl # FEATURE(`dnsbl',`bl.0spam.org')dnl
dnl # FEATURE(`dnsbl',`url.0spam.org')dnl
dnl # FEATURE(`dnsbl',`ix.dnsbl.manitu.net')dnl
dnl # FEATURE(`dnsbl',`zen.spamhaus.org')dnl
dnl # FEATURE(`dnsbl',`dnsbl.sorbs.net')dnl
dnl # FEATURE(`dnsbl',`relays.ordb.org')dnl
(..)
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl MAILER(cyrusv2)dnl
dnl #
dnl # Add OpenDKIM for Sendmail listening on TCP Port 8891 on localhost
dnl #
INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@localhost')

[root@mail ~]# /etc/mail/make
[root@mail ~]# systemctl restart sendmail

[root@mail ~]# vi /etc/procmailrc

# /etc/procmailrc
# Procmail configuration provided by thuinformatik GmbH

# Set variables
LOGFILE=/var/log/procmail.log
SPAMASSASSIN=/usr/bin/spamc
LOCKFILESPAMC=$HOME/.spamclock
LOCKFILEPROCM=$HOME/.proclock
DROPPRIVS=yes

# Pass emails through SpamAssassin and set X-Spam-Status flag by spamc
:0fw: $LOCKFILESPAMC
| $SPAMASSASSIN

# Pick emails with X-Spam-Status flag and move it over to users spamfolder
:0: $LOCKFILEPROCM
* ^X-Spam-Status: Yes
$HOME/mail/Spam

# Pick emails with X-Spam-Status flag and move it over to users spamfolder
:0: $LOCKFILEPROCM
* ^X-SPAM-LEVEL: Spam detection results
$HOME/mail/Spam

[root@mail ~]# vi /etc/mail/spamassassin/local.cf

# These values can be overridden by editing ~/.spamassassin/user_prefs.cf
# (see spamassassin(1) for details)

# Custom rules
header CONTAINS_SUBJECT Subject =~/viagra, Cialix Pills, sex, xxx, penis, pussy, greekajob, greekajobs,
body CONTAINS_PEN/viagra, sex, xxx, penis, puss, greekajob, greekajobs, perazdera/

# How many hits before a message is considered spam (default: 3.5)
required_score 3.5

# Score definition
score URIBL_BLOCKED (0) (0) (0) (0)
score URIBL_BLACK (3) (3) (3) (3)
score URIBL_GREY (2) (2) (2) (2)
score URIBL_RED (1) (1) (1) (1)
score URIBL_ABUSE_SURBL (3) (3) (3) (3)
score URIBL_DBL_SPAM (5.5) (5.5) (5.5) (5.5)
score DKIM_VALID_AU (-2) (-2) (-2) (-2)
#score DKIM_SIGNED (-2) (-2) (-2) (-2)
score DKIM_VALID (-2.5) (-2.5) (-2.5) (-2.5)
score SPF_PASS (-2.5) (-2.5) (-2.5) (-2.5)
#score SPF_NONE (2) (2) (2) (2)
#score SPF_HELO_NONE (2) (2) (2) (2)
#score SPF_FAIL (2) (2) (2) (2)
score RCVD_IN_DNSWL_LOW (-0.1) (-0.1) (-0.1) (-0.1)
score RCVD_IN_DNSWL_MED (-0.7) (-0.7) (-0.7) (-0.7)
score RCVD_IN_DNSWL_HI (-1.3) (-1.3) (-1.3) (-1.3)
score T_KAM_HTML_FONT_INVALID (0.5) (0.5) (0.5) (0.5)
score LOTS_OF_MONEY (4) (4) (4) (4)
score ALL_TRUSTED (-6) (-6) (-6) (-6)
score MISSING_HEADERS (5) (5) (5) (5)
score SENDGRID_REDIR (1) (1) (1) (1)

# Scores for custom rules
score CONTAINS_SUBJECT (5) (5) (5) (5)
score CONTAINS_BODY (5) (5) (5) (5)
describe CONTAINS_SUBJECT Bad Word
describe CONTAINS_BODY Bad Word

# Change the subject of suspected spam
rewrite_header subject *SPAM* (Stage 2) -

# Encapsulate spam in an attachment (0=no, 1=yes, 2=safe)
report_safe 1

clear_report_template
report Potential Spam
report =======================================
report
report This incoming message was classified as potential spam.
report
report Please find the original message attached.
report
report In case this is false/positive, please read our technical information here:
report https://www.netcult.ch/techinfo.cfm
report
report Message preview
report =======================================
report
report _PREVIEW_
report
report Scores
report =======================================
report
report Date: _DATE_
report Hostname: _HOSTNAME_
report
report Is Spam: _YESNO_
report Stars: _STARS(*)_
report Bayes score: _BAYES_
report Total score: _SCORE(PAD)_
report Threshold: _REQD_
report
report Autolearn: _AUTOLEARN_
report Required by autolearn: _AUTOLEARNSCORE_
report
report Report
report =======================================
report
report Languages: _LANGUAGES_
report DCCR: _DCCR_
report PYZOR: _PYZOR_
report
report RBL
report =======================================
report
report _RBL_
report
report Summary
report =======================================
report
report _SUMMARY_
report
report =======================================

# Print or delete x-spam parts
# clear_headers

# Use terse version of the spam report
# use_terse_report 0

# Clear notification related to unsafe attachements
clear_unsafe_report_template

# Enable the Bayes system
use_bayes 1

# Enable Bayes auto-learning
bayes_auto_learn 1

# Enable or disable network checks
skip_rbl_checks 0
use_razor2 1

# DCC
loadplugin Mail::SpamAssassin::Plugin::DCC
use_dcc 1
dcc_path /usr/bin/dccproc
dcc_dccifd_path /usr/libexec/dcc/dccifd
full DCC_CHECK eval:check_dcc()
use_pyzor 1

# Mail using languages used in these country codes will not be marked
# as being possibly spam in a foreign language.
# - english german
# ok_languages en de

# Mail using locales used in these country codes will not be marked
# as being possibly spam in a foreign language.
# ok_locale en

# Show detailed phrase score
# detailed_phrase_score is from the old static phrase list code that dissapeared
# when bayes was added in spamassassin 2.50. (Bayes is a dynamic trainable version
# of this concept so anything from the old phrases code instantly obsolete)
# detailed_phrase_score 1

# Whitelist some safe senders
whitelist_from some@email.com
whitelist_from another@email.com

[root@mail ~]# vi /etc/mail/spamassassin/v310.pre
[root@mail ~]# vi /etc/mail/spamassassin/v320.pre
[root@mail ~]# vi /etc/mail/spamassassin/v312.pre
[root@mail ~]# vi /etc/mail/spamassassin/v330.pre
[root@mail ~]# vi /etc/mail/spamassassin/v340.pre
[root@mail ~]# vi /etc/mail/spamassassin/v341.pre
[root@mail ~]# vi /etc/mail/spamassassin/v342.pre
[root@mail ~]# vi /etc/mail/spamassassin/v343.pre

-------------------------------------------------------------------------
/etc/mail/spamassassin/v310.pre
-------------------------------------------------------------------------
# DCC - perform DCC message checks.
#
# DCC is disabled here because it is not open source. See the DCC
# license for more details.
#
loadplugin Mail::SpamAssassin::Plugin::DCC

# AWL - do auto-whitelist checks
#
loadplugin Mail::SpamAssassin::Plugin::AWL

# TextCat - language guesser
#
loadplugin Mail::SpamAssassin::Plugin::TextCat

-------------------------------------------------------------------------
/etc/mail/spamassassin/v312.pre
-------------------------------------------------------------------------
<no changes keeping the default>

-------------------------------------------------------------------------
/etc/mail/spamassassin/v320.pre
-------------------------------------------------------------------------
<no changes keeping the default>

-------------------------------------------------------------------------
/etc/mail/spamassassin/v330.pre
-------------------------------------------------------------------------
# PhishTag - allows sites to rewrite suspect phish-mail URLs
# (Note: this requires configuration, see http://umut.topkara.org/PhishTag)
#
loadplugin Mail::SpamAssassin::Plugin::PhishTag

-------------------------------------------------------------------------
/etc/mail/spamassassin/v340.pre
-------------------------------------------------------------------------
<no changes keeping the default>

-------------------------------------------------------------------------
/etc/mail/spamassassin/v341.pre
-------------------------------------------------------------------------
# TxRep - Reputation database that replaces AWL
loadplugin Mail::SpamAssassin::Plugin::TxRep

# PDFInfo - Use several methods to detect a PDF file's ham/spam traits
loadplugin Mail::SpamAssassin::Plugin::PDFInfo

-------------------------------------------------------------------------
/etc/mail/spamassassin/v342.pre
-------------------------------------------------------------------------
# HashBL - Query hashed/unhashed strings, emails, uris etc from DNS lists
loadplugin Mail::SpamAssassin::Plugin::HashBL

# FromNameSpoof - help stop spam that tries to spoof other domains using
# the from name
loadplugin Mail::SpamAssassin::Plugin::FromNameSpoof

# Phishing - finds uris used in phishing campaigns detected by
# OpenPhish or PhishTank feeds.

-------------------------------------------------------------------------
/etc/mail/spamassassin/v343.pre
-------------------------------------------------------------------------
# OLEVBMacro - Detects both OLE macros and VB code inside Office documents
#
# It tries to discern between safe and malicious code but due to the threat
# macros present to security, many places block these type of documents outright.
#
# For this plugin to work, Archive::Zip and IO::String modules are required.
loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro

loadplugin Mail::SpamAssassin::Plugin::Phishing

[root@mail ~]# systemctl restart spamassassin

[root@mail ~]# crontab -e

# daily spam autolearn-on
30 * * * * sa-learn --spam --mbox /home/thomas/mail/Spam
30 * * * * sa-learn --spam --mbox /var/spool/mail/spam
30 7 * * * sa-learn --ham --mbox /var/spool/mail/thomas
30 * * * * sa-learn --spam --mbox /home/somedomain.ch/mail/Spam
30 7 * * * sa-learn --ham --mbox /var/spool/mail/somedomain.ch

# daily spamassassin update
30 7 * * * date >> /var/log/spamassassin_sa-update.log ; sa-update -v >> /var/log/spamassassin_sa-update.log ; /bin/systemctl restart spamassassin.service ; echo Spamassassin restarted >> /var/log/spamassassin_sa-update.log

[root@mail ~]# date >> /var/log/spamassassin_sa-update.log ; sa-update -v >> /var/log/spamassassin_sa-update.log ; /bin/systemctl restart spamassassin.service ; echo Spamassassin restarted >> /var/log/spamassassin_sa-update.log; cat /var/log/spamassassin_sa-update.log

Sat Jul 3 14:08:40 CEST 2021
Update available for channel updates.spamassassin.org: -1 -> 1891178
http: (curl) GET http://spamassassin.apache.org/updates/MIRRORED.BY, success
http: (curl) GET http://sa-update.ena.com/1891178.tar.gz, success
http: (curl) GET http://sa-update.ena.com/1891178.tar.gz.sha512, success
http: (curl) GET http://sa-update.ena.com/1891178.tar.gz.asc, success
Update was available, and was downloaded and installed successfully
Spamassassin restarted

[root@mail ~]# wget http://www.nosuchhost.net/~cheese/fedora/packages/epel-8/x86_64/cheese-release-8-1.el8.noarch.rpm
[root@mail ~]# yum install cheese-release-8-1.el8.noarch.rpm
[root@mail ~]# yum install dcc

-------------------------------------------------------------------------
[root@mail ~]# vi /etc/dovecot/dovecot.conf
-------------------------------------------------------------------------
# Protocols we want to be serving.
# Default value: protocols = imap pop3 lmtp submission
protocols = imap pop3 lmtp

# Access for Dovecot process to home directories.
mail_privileged_group = mail
mail_access_groups = mail

# Greeting message for clients.
# Default value: login_greeting = Dovecot ready.
login_greeting = Dovecot at thuinformatik GmbH ready.

-------------------------------------------------------------------------
[root@mail ~]# vi /etc/dovecot/conf.d/10-auth.conf
-------------------------------------------------------------------------
# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
# See also ssl=required setting.
# Default value: disable_plaintext_auth = yes
disable_plaintext_auth = no

# Username character translations before it's looked up from databases. The
# value contains series of from -> to characters. For example "#@/@" means
# that '#' and '/' characters are translated to '@'.
auth_username_translation = @.

# Space separated list of wanted authentication mechanisms:
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
# gss-spnego
# NOTE: See also disable_plaintext_auth setting.
# Default value: auth_mechanisms = plain
auth_mechanisms = plain login

-------------------------------------------------------------------------
[root@mail ~]# vi /etc/dovecot/conf.d/10-director.conf
-------------------------------------------------------------------------
<no changes, keep the default>

-------------------------------------------------------------------------
[root@mail ~]# vi /etc/dovecot/conf.d/10-logging.conf
-------------------------------------------------------------------------
# Log unsuccessful authentication attempts and the reasons why they failed.
# Default value: auth_verbose = no
auth_verbose = yes

-------------------------------------------------------------------------
[root@mail ~]# vi /etc/dovecot/conf.d/10-mail.conf
-------------------------------------------------------------------------
# Location for users' mailboxes. The default is empty, which means that Dovecot
# tries to find the mailboxes automatically. This won't work if the user
# doesn't yet have any mail, so you should explicitly tell Dovecot the full
# location.
#
# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
# isn't enough. You'll also need to tell Dovecot where the other mailboxes are
# kept. This is called the "root mail directory", and it must be the first
# path given in the mail_location setting.
#
# There are a few special variables you can use, eg.:
#
# %u - username
# %n - user part in user@domain, same as %u if there's no domain
# %d - domain part in user@domain, empty if there's no domain
# %h - home directory
#
# See doc/wiki/Variables.txt for full list. Some examples:
#
# mail_location = maildir:~/Maildir
# mail_location = mbox:~/mail:INBOX=/var/mail/%u
# mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
#
# <doc/wiki/MailLocation.txt>
#
# Default value: mail_location =
mail_location = mbox:~/mail:INBOX=/var/mail/%u

# Valid UID range for users, defaults to 500 and above. This is mostly
# to make sure that users can't log in as daemons or other system users.
# Note that denying root logins is hardcoded to dovecot binary and can't
# be done even if first_valid_uid is set to 0.
first_valid_uid = 1000
#last_valid_uid = 0

-------------------------------------------------------------------------
[root@mail ~]# vi /etc/dovecot/conf.d/10-master.conf
-------------------------------------------------------------------------
<no changes, keep the default>

-------------------------------------------------------------------------
[root@mail ~]# vi /etc/dovecot/conf.d/10-ssl.conf
-------------------------------------------------------------------------
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
# disable plain pop3 and imap, allowed are only pop3+TLS, pop3s, imap+TLS and imaps
# plain imap and pop3 are still allowed for local connections
# Default value: ssl = required
ssl = yes

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
# Default value: ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
# Default value: ssl_key = </etc/pki/dovecot/private/dovecot.pem
ssl_cert = </etc/pki/tls/certs/2021/cert/netcult.ch.pem
ssl_key = </etc/pki/tls/certs/2021/key/netcult.ch.key

# PEM encoded trusted certificate authority. Set this only if you intend to use
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/pki/dovecot/certs/ca.pem)
# Default value: ssl_ca =
ssl_ca = </etc/pki/tls/certs/2021/inter/inter.pem

# SSL protocols to use
# Default vallue: ssl_protocols = !SSLv3
ssl_protocols = !SSLv2 !SSLv3

# SSL ciphers to use, the default is:
#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
# To disable non-EC DH, use:
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
# Default value: ssl_cipher_list = PROFILE=SYSTEM
ssl_cipher_list=HIGH:!ADH-DES-CBC3-SHA:!ADH-AES128-SHA:!ADH-AES256-SHA:!ADH-CAMELLIA128-SHA:!ADH-CAMELLIA256-SHA:!DH-AES128-SHA256:!DH-AES256-SHA256:!aNULL:!DES:!3DES:!MD5:!DES+MD5:!RC4

-------------------------------------------------------------------------
[root@mail ~]# vi /etc/dovecot/conf.d/15-lda.conf
-------------------------------------------------------------------------
<no changes, keep the default>

-------------------------------------------------------------------------
[root@mail ~]# vi /etc/dovecot/conf.d/15-mailboxes.conf
-------------------------------------------------------------------------
<no changes, keep the default>

-------------------------------------------------------------------------
[root@mail ~]# vi /etc/dovecot/conf.d/20-imap.conf
-------------------------------------------------------------------------
<no changes, keep the default>

-------------------------------------------------------------------------
[root@mail ~]# vi /etc/dovecot/conf.d/20-lmtp.conf
-------------------------------------------------------------------------
<no changes, keep the default>

-------------------------------------------------------------------------
[root@mail ~]# vi /etc/dovecot/conf.d/20-pop3.conf
-------------------------------------------------------------------------
<no changes, keep the default>

-------------------------------------------------------------------------
[root@mail ~]# vi /etc/dovecot/conf.d/20-submission.conf
-------------------------------------------------------------------------
<no changes, keep the default>

-------------------------------------------------------------------------
[root@mail ~]# vi /etc/dovecot/conf.d/90-acl.conf
-------------------------------------------------------------------------
<no changes, keep the default>

-------------------------------------------------------------------------
[root@mail ~]# vi /etc/dovecot/conf.d/90-plugin.conf
-------------------------------------------------------------------------
<no changes, keep the default>

-------------------------------------------------------------------------
[root@mail ~]# vi /etc/dovecot/conf.d/90-quota.conf
-------------------------------------------------------------------------
<no changes, keep the default>

-------------------------------------------------------------------------
[root@mail ~]# vi /etc/dovecot/conf.d/auth-checkpassword.conf.ext
[root@mail ~]# vi /etc/dovecot/conf.d/auth-deny.conf.ext
[root@mail ~]# vi /etc/dovecot/conf.d/auth-dict.conf.ext
[root@mail ~]# vi /etc/dovecot/conf.d/auth-ldap.conf.ext
[root@mail ~]# vi /etc/dovecot/conf.d/auth-master.conf.ext
[root@mail ~]# vi /etc/dovecot/conf.d/auth-passwdfile.conf.ext
[root@mail ~]# vi /etc/dovecot/conf.d/auth-sql.conf.ext
[root@mail ~]# vi /etc/dovecot/conf.d/auth-static.conf.ext
[root@mail ~]# vi /etc/dovecot/conf.d/auth-system.conf.ext
[root@mail ~]# vi /etc/dovecot/conf.d/auth-vpopmail.conf.ext
-------------------------------------------------------------------------
<no changes, keep the default>

[root@mail ~]# systemctl restart dovecot

[root@mail ~]# vi /etc/passwd
administrator:x:1000:100:Administrator:/home/administrator:/bin/bash

[root@mail ~]# chown -R :users /var/spool/mail/
[root@mail ~]# chown -R :users /home/

[root@mail ~]# systemctl restart dovecot
[root@mail ~]# systemctl restart saslauthd

[root@mail ~]# su administrator
[administrator@mail root]$ cat /etc/redhat-release | mail -s "Fedora Release" administrator@mail.yourhostname.ch

[administrator@mail root]$ cat /var/mail/administrator
From administrator@mail.netcult.ch Sat Jul 3 15:58:23 2021
Return-Path: <administrator@mail.yourhostname.ch>
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on mail.yourhostname.ch
X-Spam-Level:
X-Spam-Status: No, score=-7.0 required=3.5 tests=ALL_TRUSTED autolearn=ham
autolearn_force=no version=3.4.4
Received: from mail.yourhostname.ch (localhost [127.0.0.1])
by mail.yourhostname.ch (8.15.2/8.15.2) with ESMTPS id 163DwNpD700072
(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT)
for <administrator@mail.yourhostname.ch>; Sat, 3 Jul 2021 15:58:23 +0200
Received: (from administrator@localhost)
by mail.yourhostname.ch (8.15.2/8.15.2/Submit) id 163DwN0a700071
for administrator@mail.netcult.ch; Sat, 3 Jul 2021 15:58:23 +0200
From: General Administrator <administrator@mail.yourhostname.ch>
Message-Id: <202107031358.163DwN0a700071@mail.yourhostname.ch>
Date: Sat, 03 Jul 2021 15:58:23 +0200
To: administrator@mail.yourhostname.ch
Subject: Fedora Release
User-Agent: Heirloom mailx 12.5 7/5/10
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Rocky Linux release 8.4 (Green Obsidian)

[root@mail ~]# systemctl enable opendkim.service
[root@mail ~]# systemctl start opendkim.service

[root@mail ~]# vi /etc/httpd/conf.d/ssl.conf

# OCSP Stapling is a TLS extension that enables the web server
# to cache Certificate Revocation status information and not
# placing the onus on the web client to make the request directly
# with the Certificate Authority (CA).
SSLStaplingCache "shmcb:/var/log/stapling_cache(128000)"

# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512

# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
# SSLProtocol all -SSLv2 -SSLv3
# SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
SSLProtocol +TLSv1.2

# User agents such as web browsers are not configured for the user's
# own preference of either security or performance, therefore this
# must be the prerogative of the web server administrator who manages
# cpu load versus confidentiality, so enforce the server's cipher order.
SSLHonorCipherOrder on

# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
# The OpenSSL system profile is configured by default. See
# update-crypto-policies(8) for more details.
#SSLCipherSuite PROFILE=SYSTEM
#SSLProxyCipherSuite PROFILE=SYSTEM
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLProxyCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that restarting httpd will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
# require an ECC certificate which can also be configured in
# parallel.
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/pki/tls/certs/2021/cert/netcult.ch.pem

# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
# ECC keys, when in use, can also be configured in parallel
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/pki/tls/certs/2021/key/netcult.ch.key

# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convenience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
SSLCertificateChainFile /etc/ssl/certs/2021/inter/inter.pem

# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

[root@mail ~]# systemctl restart httpd

[root@mail ~] vi /etc/my.cnf.d/mariadb-server.cnf

# this is only for the mysqld standalone daemon
# Settings user and group are ignored when systemd is used.
# If you need to run mysqld under a different user or group,
# customize your systemd unit file for mysqld/mariadb according to the
# instructions in http://fedoraproject.org/wiki/Systemd
[mysqld]
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0

# default-time-zone=+02:00
# Settings user and group are ignored when systemd is used.
# If you need to run mysqld under a different user or group,
# customize your systemd unit file for mariadb according to the
# instructions in http://fedoraproject.org/wiki/Systemd

# InnoDB is the default engine of mariaDB and after setting
# these parameters all the tables will have their own .idb file on server.
# Now the question arises how will it make MariaDB more efficient?
# As all the operations performed on this table will use the I/O of that single
# .idb file and if you truncate that table you can reclaim that
# space as the file against that table will be removed.
innodb_file_per_table=1

# You can enable caching and indexing in MariaDB server by setting
# the InnoDB buffer pool size parameter. The amount of memory you
# want to dedicate solely depends upon the amount of RAM your server has.
# If your server is dedicated for database then you can set the parameter
# to 60 percent of your memory but if other services are running on
#the same server then you should consider a different value.
innodb_buffer_pool_size = 2G

# Every time a connection is opened its IP is resolved by DNS lookup;
# which consumes some amount of time.
skip-name-resolve

# Query cache size is also an important parameter as it caches
# all the queries which keep on repeating with same data.
# For small websites your value should not exceed 64MB.
# Increasing this value to GB’s will decrease the performance instead of making it efficient.
query_cache_size = 64M

# These parameters are set to avoid disk writes on your servers.
# For efficient performance, both of these values should be same.
max_heap_table_size= 64M
tmp_table_size= 64M

# It is one of the best feature of MariaDB which allows the database developers
# to improve the performance by checking the queries which are taking excessive time to execute.
slow-query-log = 1
slow-query-log-file = /var/log/mariadb/mariadb-slow.log
long_query_time = 1

[root@mail ~]# systemctl restart mariadb

[root@mail ~]# vi /etc/firewalld/firewalld.conf

#FirewallBackend=nftables
FirewallBackend=iptables

[root@mail ~]# systemctl restart firewalld

[root@mail ~]# yum remove podman runc pcp-pmda-podman
[root@mail ~]# yum remove @container-tools
[root@mail ~]# shutdown -r now

[root@mail ~]# curl https://download.docker.com/linux/centos/docker-ce.repo -o /etc/yum.repos.d/docker-ce.repo
[root@mail ~]# yum install --nobest docker-ce
[root@mail ~]# systemctl enable docker
[root@mail ~]# systemctl start docker
[root@mail ~]# usermod -aG docker $USER

[root@mail ~]# curl https://download.opensuse.org/repositories/server:/eGroupWare/CentOS_8/server:eGroupWare.repo -o /etc/yum.repos.d/server:eGroupWare.repo
[root@mail ~]# yum install egroupware-docker egroupware-collabora-key egroupware-rocketchat

[root@mail ~]# cat /etc/httpd/conf.d/ssl.conf
(..)
# Collabora proxy needs to be included inside vhost
include /etc/egroupware-collabora-key/apache.conf

# EGroupware proxy needs to be included inside vhost
include /etc/egroupware-docker/apache.conf

[root@mail keys]# cat /etc/rc.local
#!/bin/bash
# THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES
#
# It is highly advisable to create own systemd services or udev rules
# to run scripts during boot instead of using this file.
#
# In contrast to previous versions due to parallel execution during boot
# this script will NOT be run after all other services.
#
# Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure
# that this script will be executed during boot.

touch /var/lock/subsys/local

# Start docker containers ...
cd /etc/egroupware-docker; docker-compose up -d

[root@mail ~]# mkdir /root/migration
[root@mail ~]# mkdir /root/migration/userdata

[root@mail ~]# mysqldump --all-databases -u root -pYour_root_password > /root/migration/mariadb_full.sql

[root@mail ~]# scp /root/migration/mariadb_full.sql root@10.0.1.33:/root/migration/

[root@mail ~]# mysql -u root -p < /root/migration/mariadb_full.sql
Enter password:

[root@mail ~]# mysql -u root -p
Enter password:

MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> exit;

[root@mail ~]# mysql -u egroupware -p
Enter password:

[root@mail ~]# cd /etc/egroupware-docker/
[root@mail egroupware-docker]# vi docker-compose.override.yml

#########################################################################################
###
### docker-compose.override.yml file for egroupware-docker package
###
### Place all your modifications in this file, instead of /etc/egroupware-docker/docker-compose.yml.
###
### If you want to make some modification / uncomment eg. some enviroment variables, you also have to:
### - uncomment the service eg. "egroupware:", if not already uncommented like egroupware
### - uncomment the "environment:" section of the service
###
### services:
### egroupware:
### environment:
### - EGW_APC_SHM_SIZE=256M
###
### Please note: indention with space (NOT tabs!) matter in .yml files!
###
##########################################################################################
version: '3'

#volumes:
# EGroupware data stored in /var/lib/egroupware on the host
#data:
# driver_opts:
# type: none
# o: bind
# device: /var/lib/egroupware

services:
egroupware:
# egroupware images to use:
# - egroupware/egroupware: is the community edition of egroupware
# - download.egroupware.org/egroupware/epl: is the EPL / subscription version of EGroupware GmbH
# egroupware tags to use:
# - latest: recommended is to use tag latest for automatic updates incl. new stable major releases
# - 20.1: use a branch to keep on latest maintenance release for that branch, but not update automatic to next release
# - 20.1.20200613: use a maintenance release, to disable automatic updates via watchtower and run them manually
image: egroupware/egroupware:21.1

>volumes:
# if you want to use the host database:
# 1. follow instructions below to disable db service
# 2. set EGW_DB_HOST=localhost AND
# 3. uncomment the next line and modify the host path, it depends on your distro:
# - RHEL/CentOS /var/lib/mysql/mysql.sock:/var/run/mysqld/mysqld.sock
# - openSUSE/SLE /var/run/mysql/mysql.sock:/var/run/mysqld/mysqld.sock
# - Debian/Ubuntu /var/run/mysqld:/var/run/mysqld
#- /var/run/mysqld:/var/run/mysqld
> - /var/lib/mysql/mysql.sock:/var/run/mysqld/mysqld.sock
# private CA so egroupware can validate your certificate to talk to Collabora or Rocket.Chat
# multiple certificates (eg. a chain) have to be single files in a directory, with one named private-ca.crt!
#- /etc/egroupware-docker/private-ca.crt:/usr/local/share/ca-certificates/private-ca.crt:ro
> environment:
# setting a default language for a new installation
#- LANG=de
# MariaDB/MySQL host to use: for host database (socket bind-mounted into container) use "localhost"
> - EGW_DB_HOST=localhost
# for internal db service you should to specify a root password here AND in db service
# a database "egroupware" with a random password is created for you on installation (password is stored in header.inc.php in data directory)
#- EGW_DB_ROOT=root
#- EGW_DB_ROOT_PW=secret
# alternativly you can specify an already existing database with full right by the given user!
#- EGW_DB_NAME=egroupware
#- EGW_DB_USER=egroupware
> - EGW_DB_PASS=bn2H1R:SQ8d!cJSE
# other php.ini values to set in the container and their current defaults
#- EGW_SESSION_TIMEOUT=14000
#- EGW_APC_SHM_SIZE=128M
#- EGW_MEMORY_LIMIT=128M
#- EGW_MAX_EXECUTION_TIME=90
# set the ip-address of your docker host AND your official DNS name so EGroupware
# can access Rocket.Chat or Collabora without the need to go over your firewall
#extra_hosts:
#- "my.host.name:ip-address"

# to use the database on the host, uncomment all the following settings to disable the internal db service
> db:
> image: busybox
> entrypoint: /bin/true
> restart: "no"

# push server using phpswoole
#push:

# nginx server of egroupware using /etc/egroupware-docker/egroupware-nginx.conf
# You want to install your certificate on the webserver/Nginx running on the host proxying to this one
#nginx:

# automatic updates of all containers daily at 4am
# see https://containrrr.github.io/watchtower for more information
#watchtower:
#environment:
#- WATCHTOWER_CLEANUP=true # delete old image after update to not fill up the disk
# for email notifications add your email and mail-server here
#- WATCHTOWER_NOTIFICATIONS=email
#- WATCHTOWER_NOTIFICATIONS_LEVEL=info # possible values: panic, fatal, error, warn, info or debug
#- WATCHTOWER_NOTIFICATION_EMAIL_FROM=watchtower@my-domain.com
#- WATCHTOWER_NOTIFICATION_EMAIL_TO=me@my-domain.com
#- WATCHTOWER_NOTIFICATION_EMAIL_SERVER=mail.my-domain.com # if you give your MX here, you need no user/password
#- WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PORT=25
#- WATCHTOWER_NOTIFICATION_EMAIL_SERVER_USER=watchtower@my-domain.com
#- WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD=secret
#command: --schedule "0 0 4 * * *"

[root@mail egroupware-docker]# docker-compose down

[root@mail egroupware-docker]# docker-compose up -d --remove-orphans --build

[root@mail egroupware-docker]# docker pslog
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d1420b4853f4 nginx:stable-alpine "/docker-entrypoint.…" 33 seconds ago Up 30 seconds 127.0.0.1:8080->80/tcp egroupware-nginx
d054757f012c phpswoole/swoole:4.6-php7.4-alpine "docker-php-entrypoi…" 34 seconds ago Up 32 seconds egroupware-push
71492d39293d egroupware/egroupware:21.1 "/entrypoint.sh php-…" 35 seconds ago Up 33 seconds 9000/tcp egroupware
df53e76a73aa containrrr/watchtower:latest "/watchtower --sched…" 37 seconds ago Up 34 seconds 8080/tcp egroupware-watchtower
44171a4b3c28 quay.io/egroupware/rocket.chat:stable "docker-entrypoint.s…" 33 hours ago Up 33 hours 127.0.0.1:3000->3000/tcp rocketchat
8852ee8cc9de mongo:4.0 "docker-entrypoint.s…" 33 hours ago Up 33 hours 27017/tcp rocketchat-mongo
a54c2878f835 quay.io/egroupware/collabora-key:stable "/bin/sh -c 'bash st…" 33 hours ago Up 33 hours 127.0.0.1:9980->9980/tcp collabora-key

[root@mail egroupware-docker]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d1420b4853f4 nginx:stable-alpine "/docker-entrypoint.…" 54 seconds ago Up 52 seconds 127.0.0.1:8080->80/tcp egroupware-nginx
d054757f012c phpswoole/swoole:4.6-php7.4-alpine "docker-php-entrypoi…" 55 seconds ago Up 53 seconds egroupware-push
71492d39293d egroupware/egroupware:21.1 "/entrypoint.sh php-…" 56 seconds ago Up 7 seconds 9000/tcp egroupware
1094d121a673 busybox "/bin/true" 58 seconds ago Exited (0) 55 seconds ago egroupware-db
df53e76a73aa containrrr/watchtower:latest "/watchtower --sched…" 58 seconds ago Up 55 seconds 8080/tcp egroupware-watchtower
44171a4b3c28 quay.io/egroupware/rocket.chat:stable "docker-entrypoint.s…" 33 hours ago Up 33 hours 127.0.0.1:3000->3000/tcp rocketchat
da02d5a1b1a2 mongo:4.0 "docker-entrypoint.s…" 33 hours ago Exited (0) 33 hours ago egroupware-rocketchat_mongo-init-replica_1
8852ee8cc9de mongo:4.0 "docker-entrypoint.s…" 33 hours ago Up 33 hours 27017/tcp rocketchat-mongo
a54c2878f835 quay.io/egroupware/collabora-key:stable "/bin/sh -c 'bash st…" 33 hours ago Up 33 hours 127.0.0.1:9980->9980/tcp collabora-key

[root@mail egroupware-docker]# yum remove egroupware-rocketchat

[root@mail egroupware-docker]# docker stats -a
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
a11320d40498 collabora-key 0.04% 464.4MiB / 11.52GiB 3.94% 9.89kB / 0B 1.37GB / 3.81MB 11
83e121e54c52 egroupware-nginx 0.00% 5.125MiB / 11.52GiB 0.04% 10.2kB / 0B 13.3MB / 0B 5
583282159d2f egroupware-push 0.00% 17.41MiB / 11.52GiB 0.15% 10.2kB / 0B 68.6MB / 0B 10
1417fc35a4f9 egroupware-watchtower 0.00% 15.06MiB / 11.52GiB 0.13% 10.2kB / 0B 30.2MB / 0B 10
9a5e0b97fd73 egroupware-db 0.00% 0B / 0B 0.00% 0B / 0B 0B / 0B 0

[root@mail egroupware-docker]# docker volume ls
DRIVER VOLUME NAME
local 0e1e0f7fd32f7d06c88621135a8331cb3d106e1edf3f905b2fc3bd2c8244776f
local 5950f665506af9b982646affd4b9305c1c1f1c636aa2c2777e9b116d84464a12
local e2be92753bc12b00d9fa5e4a9f7b14f4d9e321429e9ed9b462a99dd97bba00ee
local egroupware-docker_data
local egroupware-docker_db
local egroupware-docker_extra
local egroupware-docker_push-config
local egroupware-docker_sessions
local egroupware-docker_sources
local egroupware-docker_sources-push
local egroupware-docker_videos
local egroupware-rocketchat_mongo

[root@mail egroupware-docker]# docker volume rm egroupware-rocketchat_mongo
egroupware-rocketchat_mongo

[root@mail egroupware-docker]# docker-compose logs -f

egroupware | Retrying EGroupware installation in 3 seconds ...
egroupware | /usr/bin/php7.4 -d memory_limit=-1 /usr/share/egroupware/setup/setup-cli.php --update 'all,admin,Qr[;pr-4nrRrND4B'
egroupware | EGroupware API version 21.1 found.
egroupware | EGroupware configuration file (header.inc.php) version 1.29 exists and is up to date
egroupware | Your database is not working! mysqli://egroupware:<somepassword)@db/egroupware:
egroupware |
egroupware | Installation failed --> exiting!

[root@mail egroupware-docker]# vi /var/lib/docker/volumes/egroupware-docker_data/_data/header.inc.php

/* eGroupWare domain-specific db settings */
$GLOBALS['egw_domain']['default'] = array(
'db_host' => 'localhost',
'db_port' => '3306',
'db_name' => 'egroupware',
'db_user' => 'egroupware',
'db_pass' => '<somepassword>',
// Look at the README file
'db_type' => 'mysqli',
// This will limit who is allowed to make configuration modifications
'config_user' => 'admin',
'config_passwd' => '{crypt}$2a$12$84T8C2nSxJXHpA8I5krODeB7vBF5nylW/1iZNdtea6hEOc1ktzrK.'
);

[root@mail egroupware-docker]# cd ~
[root@mail ~]# mkdir /var/lib/docker/volumes/egroupware-docker_data/_data/default/files/anon-images

[root@mail ~]# scp /var/lib/docker/volumes/egroupware-docker_data/_data/default/files/anon-images/* root@10.0.1.33://var/lib/docker/volumes/egroupware-docker_data/_data/default/files/anon-images/

[root@mail ~]# ll /var/lib/docker/volumes/egroupware-docker_data/_data/default/files
total 0
drwx------ 2 33 tape 6 Jul 4 13:36 activesync
drwxr-xr-x 2 33 tape 47 Jul 5 22:48 anon-images
drwxr-xr-x 3 33 tape 19 Jul 4 13:36 smallpart
drwxr-xr-x 2 33 tape 6 Jul 4 13:36 sqlfs

[root@mail ~]# chown 33:tape /var/lib/docker/volumes/egroupware-docker_data/_data/default/files/anon-images

[root@mail ~]# cat /var/lib/docker/volumes/egroupware-docker_data/_data/egroupware-docker-install.log |more


(...)
EGroupware successful installed
===============================

Please note the following user names and passwords:

Setup username: admin
password: <somepassword>

EGroupware username: sysop
password: <somepassword>
(...)

-----------------------------------------------------------------
[root@mail ~]# vi /root/migration/user.migration.sh
-----------------------------------------------------------------
#!/bin/bash

# Description:
# This script will be used to migrate users and credentials from a old to a new host.
#
# Version 1.0
# Date 06. July 2021

# Specify variables here
UGIDLIMIT=1000
TARGETHOST=10.0.1.33
BASEDIR=/root/migration/userdata

# Export users, groups and credentials
awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534) && ($3!=1005) && ($3!=1009)' /etc/passwd > ${BASEDIR}/passwd.mig
awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534) && ($3!=1001)' /etc/group > ${BASEDIR}/group.mig
awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534) && ($3!=1005) && ($3!=1009) {print $1}' /etc/passwd | tee - | egrep -f - /etc/shadow > ${BASEDIR}/shadow.mig
cp /etc/gshadow ${BASEDIR}/gshadow.mig

# Copy configuration files of users, groups and credentials to a remote host
scp -r ${BASEDIR}/* root@${TARGETHOST}:${BASEDIR}/

# Import users, groups and credentials on a remote host
ssh root@${TARGETHOST} BASEDIR="/root/migration/userdata" /bin/bash<<"EOF"
  while IFS=":" read -r user x uid x; do [[ $uid -ge 1000 && $uid != 65534 ]] && userdel "$user"; done </etc/passwd
  while IFS=":" read -r user x uid x; do [[ $uid -ge 1000 && $uid != 65534 ]] && groupdel "$user"; done </etc/group
  cat ${BASEDIR}/passwd.mig >> /etc/passwd
  cat ${BASEDIR}/group.mig >> /etc/group
  cat ${BASEDIR}/shadow.mig >> /etc/shadow
  cp -nf ${BASEDIR}/gshadow.mig /etc/gshadow
EOF

-----------------------------------------------------------------
[root@mail ~]# vi /root/migration/opendkim.migration.sh
-----------------------------------------------------------------
#!/bin/bash

# Description:
# This script will be used to copy opendkim related configuration files from an old to a new host.
#
# Version 1.0
# Date 06. July 2021

# Specify variables here
TARGETHOST=10.0.1.33

# Copy configuration files of opendkim to a remote host
scp /etc/opendkim.conf root@${TARGETHOST}:/etc/opendkim.conf
scp /etc/opendkim/TrustedHosts root@${TARGETHOST}:/etc/opendkim/TrustedHosts
scp /etc/opendkim/SigningTable root@${TARGETHOST}:/etc/opendkim/SigningTable
scp /etc/opendkim/KeyTable root@${TARGETHOST}:/etc/opendkim/KeyTable
rsync -avvzhe ssh --progress /etc/opendkim/keys root@10.0.1.32:/etc/opendkim

-----------------------------------------------------------------
[root@mail ~]# vi /root/migration/sendmail.migration.sh
-----------------------------------------------------------------
#!/bin/bash

# Description:
# This script will be used to copy sendmail related configuration files from an old to a new host.
#
# Version 1.0
# Date 06. July 2021

# Specify variables here
TARGETHOST=10.0.1.33

# Copy configuration files of sendmail to a remote host
scp /etc/aliases root@${TARGETHOST}:/etc/aliases
scp /etc/mail/access root@${TARGETHOST}:/etc/mail/access
scp /etc/mail/local-host-names root@${TARGETHOST}:/etc/mail/local-host-names
scp /etc/mail/domaintable root@${TARGETHOST}:/etc/mail/domaintable
scp /etc/mail/trusted-users root@${TARGETHOST}:/etc/mail/trusted-users
scp /etc/mail/virtusertable root@${TARGETHOST}:/etc/mail/virtusertable

# Restart sendmail on a remote host
ssh -t root@${TARGETHOST} 'systemctl restart sendmail'

-----------------------------------------------------------------
[root@mail ~]# vi /root/migration/mariadb.migration.sh
-----------------------------------------------------------------
#!/bin/bash

# Description:
# This script will be used to dump mariadb databases on a old host and restore them to a new host.
#
# Version 1.0
# Date 06. July 2021

# Specify variables here
TARGETHOST=10.0.1.33
TARGETFILE=/root/migration/mariadb_full.sql
DB_ROOT=root
DB_PASS=somepassword

# Dump whole database server
mysqldump --all-databases -u ${DB_ROOT} -p${DB_PASS} > ${TARGETFILE}

# Transfer files to a new host
scp ${TARGETFILE} root@${TARGETHOST}:${TARGETFILE}

# Restore dump remotely on a new host and restart mariadb
ssh -t root@${TARGETHOST} 'mysql -u root -p${DB_PASS} < ${TARGETFILE}'
ssh -t root@${TARGETHOST} 'systemctl restart mariadb'

-----------------------------------------------------------------
[root@mail ~]# vi /root/migration/mail.migration.sh
-----------------------------------------------------------------
#!/bin/bash

# Description:
# This script will be used to synchronize users mail data from a old to a new host.
#
# Version 1.0
# Date 06. July 2021

# Specify variables here
TARGETHOST=10.0.1.33

# Synchronize folders
rsync -avvzhe ssh --progress /var/spool/mail root@${TARGETHOST}:/var/spool
rsync -avvzhe ssh --progress /home root@${TARGETHOST}:/

[root@mail ~]# chmod +x /root/migration/*.migration.sh

[root@mail ~]# crontab -e

# Server migration
00 2 * * * /root/migration/user.migration.sh >> /var/log/user.migration.log 2>&1
05 2 * * * /root/migration/opendkim.migration.sh >> /var/log/opendkim.migration.sh 2>&1
10 2 * * * /root/migration/sendmail.migration.sh >> /var/log/sendmail.migration.sh 2>&1
15 2 * * * /root/migration/mariadb.migration.sh >> /var/log/mariadb.migration.sh 2>&1
20 2 * * * /root/migration/mail.migration.sh >> /var/log/mail.migration.log 2>&1

[root@mail ~]# cd /var/spool/mail
[root@mail mail]# for n in *; do chown $n:users $n; done

[root@mail ~]# cd /home
[root@mail home]# for n in *; do chown -R $n:users $n; done

Appendix

A user of our mailhost was affected with the following problem:  A mailsender got a “Mail Derlivery Error” from the <MAILER DAEMON> as reply to a mail sent to our customer.

The original message was received at Tue, 23 Nov 2021 11:12:03 +0100 from mxout017.mail.xxx.ch [1.2.3.4]
   ----- The following addresses had permanent fatal errors ----- "|/etc/usermin/forward/autoreply.pl /home/info.xxx.ch/autoreply.txt info.treuhand-2000.ch"
    (expanded from: <info@xxx.ch>)
   ----- Transcript of session follows -----
550 5.7.1 /home/info.xxx.ch/.forward: line 2: "|/etc/usermin/forward/autoreply.pl /home/info.xxx.ch/autoreply.txt info.xxx.ch"... User info.xxx.ch@mail.xxx.ch doesn't have a valid shell for mailing to programs