{"id":1292,"date":"2021-11-20T20:58:44","date_gmt":"2021-11-20T19:58:44","guid":{"rendered":"https:\/\/www.web-workers.ch\/?p=1292"},"modified":"2022-04-27T18:33:06","modified_gmt":"2022-04-27T16:33:06","slug":"how-to-install-migrate-sendmail-procmail-spamassassin-dovecot-opendkim-bind-apache-mariadb-egroupware-bind-on-from-centos7-to-rocky-linux-8","status":"publish","type":"post","link":"https:\/\/www.web-workers.ch\/index.php\/2021\/11\/20\/how-to-install-migrate-sendmail-procmail-spamassassin-dovecot-opendkim-bind-apache-mariadb-egroupware-bind-on-from-centos7-to-rocky-linux-8\/","title":{"rendered":"How to install|migrate sendmail \/ procmail \/ spamassassin \/ dovecot \/ opendkim \/ bind \/ apache \/ mariadb \/ egroupware \/ bind on|from CentOS7 to Rocky Linux 8"},"content":{"rendered":"

We where already prepared to switch our servers from CentOS 7 to 8 but our project stopped immediately after we heard about the abrupt end of CenOS<\/a>\u00a0– so we where looking around for new solutions. We evaluated Ubuntu<\/a>, OpenMandriva<\/a>, Slackware<\/a>, FreeBSD<\/a> and other Linux\/Unix distros. Before we made a descision in which direction we move, we waited for the first release of Rocky Linux 8<\/a>. Rocky Linux was announced as the official unofficial successor of CentOS<\/a>, the project was created by the founder of CentOS. Some weeks ago the first stable version compatible to CentOS 8 \/ RHEL 8 was released and we started our migration project from scratch.<\/p>\n

We use many applications on CentOS servers but the most imporant system is our e-mail\/groupware server. In our mailserver we use following applications:<\/p>\n

Sendmail<\/a> (SMTP Server)
Procmail<\/a>\u00a0(Mail rules)
Spamassassin<\/a> (Anti-Spam)
Dovecot<\/a> (IMAP\/POP3 Server)
OpenDKIM<\/a> (DKIM signatures)
BIND<\/a> (DNS Server)
Apache<\/a> (http reverse proxy)
MariaDB<\/a> (Database for eGroupware and other databases)
eGroupware<\/a> (Groupware, CalDAV, CardDAV)
Docker<\/a> (for eGroupware)<\/p>\n

In the next chapters i document how we migrated our CentOS 7 installation to a fresh Rocky Linux 8 server.<\/p>\n

Preparation<\/h3>\n
Download<\/h5>\n

Download Rocky Linux 8: https:\/\/rockylinux.org\/de\/download<\/a><\/p>\n

Requirements<\/h5>\n

Virtual Server requirements for our environment:<\/p>\n

– 4 vCPUs
– 12 GB RAM
– 1x 750 GB HDD
– 1x VMXNET3 Network Adapter<\/p>\n

Disk Layout<\/h5>\n

Total Capacity: 750 GB<\/p>\n

\n
Mountpoint\u00a0 \u00a0 \u00a0 Capacity Filesystem Device type\n*************************************************************\n\/home\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0300 GB\u00a0 \u00a0xfs\u00a0 \u00a0 \u00a0 \u00a0 LVM\n\/var\/spool\/mail 300 GB\u00a0 \u00a0xfs\u00a0 \u00a0 \u00a0 \u00a0 LVM\n\/\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0130 GB\u00a0 \u00a0xfs\u00a0 \u00a0 \u00a0 \u00a0 LVM\n\/boot\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a03.99 GB\u00a0 xfs\u00a0 \u00a0 \u00a0 \u00a0 Standard\nSWAP\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 16 GB\u00a0 \u00a0 swap\u00a0      LVM<\/code><\/pre>\n<\/div>\n
Software selection<\/h4>\n
\n
[x] Server with GUI\n    [x] Debugging Tools\n    [x] Guest Agents\n    [x] Performance Tools\n    [x] Graphical Administation Tools\n    [x] Security Tools\n    [x] System Tools\n[x] Workstation\n    [x] Legacy UNIX Compatibility\n[x] Custom Operating System\n    [x] Development Tools\n<\/code><\/pre>\n<\/div>\n
Hint: During the installation, create a local user called “administrator”.<\/p>\n
Inital configuration<\/h3>\n
Disable SELinux<\/h4>\n
Disable SELinux and reboot your system afterwards. Hint: Make sure this configuration fits your security requirements.<\/p>\n
\n
[root@mail ~]# cat \/etc\/selinux\/config\n\n# This file controls the state of SELinux on the system.\n# SELINUX= can take one of these three values:\n# enforcing - SELinux security policy is enforced.\n# permissive - SELinux prints warnings instead of enforcing.\n# disabled - No SELinux policy is loaded.\nSELINUX=disabled\n# SELINUXTYPE= can take one of these three values:\n# targeted - Targeted processes are protected,\n# minimum - Modification of targeted policy. Only selected processes are protected.\n# mls - Multi Level Security protection.\nSELINUXTYPE=targeted

[root@mail ~]# shutdown -r now<\/code><\/pre>\n<\/div>\n
Enable Power Tools, install Delta RPMs and enable EPEL repo<\/h4>\n
\n
[root@mail ~]# dnf config-manager --set-enabled powertools
[root@mail ~]# yum install epel-release\n[root@mail ~]# yum install drpm<\/code><\/pre>\n<\/div>\n
Update your system<\/h4>\n
Make sure you have the lastet version installed and reboot your system afterwards.<\/p>\n
\n
[root@mail ~]# yum update
[root@mail ~]# shutdown -r now<\/code><\/pre>\n<\/div>\n
Disable Firewall<\/h4>\n
We don’t want to enable the Linux firewall, so we disable the service.<\/p>\n
\n
[root@mail ~]# systemctl stop firewalld\n[root@mail ~]# systemctl disable firewalld<\/code><\/pre>\n<\/div>\n
Install Webmin and Usermin<\/h4>\n
Install Wemin and Usermin, start and enable services at boot.<\/p>\n
\n
[root@mail ~]# wget http:\/\/prdownloads.sourceforge.net\/webadmin\/webmin-1.979-1.noarch.rpm\n[root@mail ~]# yum -y install perl perl-Net-SSLeay openssl perl-IO-Tty perl-Encode-Detect\n[root@mail ~]# yum install webmin-1.979-1.noarch.rpm<\/code>

[root@mail ~]# wget http:\/\/prdownloads.sourceforge.net\/webadmin\/usermin-1.823-1.noarch.rpm<\/code>[root@mail ~]# yum install usermin-1.823-1.noarch.rpm

[root@mail ~]# systemctl start webmin
[root@mail ~]# systemctl enable webmin<\/span><\/pre>\n
[root@mail ~]# systemctl start usermin
[root@mail ~]# systemctl enable usermin
<\/span><\/pre>\n<\/div>\n
Install OpenSSL<\/h4>\n
Make sure all required openssl libraries are installed.<\/p>\n
\n
[root@mail ~]# yum install openssl openssl-devel<\/code><\/pre>\n<\/div>\n
Uninstall postfix<\/h4>\n
We prefer to use the sendmail MTA, so we remove postfix.<\/p>\n
\n
[root@mail ~]# systemctl stop postfix\n[root@mail ~]# yum remove postfix<\/code><\/pre>\n<\/div>\n
Install sendmail<\/h4>\n
Install sendmail, start and enable services at boot.<\/p>\n
\n
[root@mail ~]# yum install sendmail sendmail-cf cyrus-sasl-plain\n[root@mail ~]# systemctl enable sendmail\n[root@mail ~]# systemctl start sendmail\n[root@mail ~]# systemctl enable saslauthd\n[root@mail ~]# systemctl start saslauthd<\/code><\/pre>\n<\/div>\n
Install Spamassassin<\/h4>\n
Install spamassassin, start and enable services at boot.<\/p>\n
\n
[root@mail ~]# yum install spamassassin\n[root@mail ~]# systemctl enable spamassassin\n[root@mail ~]# systemctl start spamassassin<\/code><\/pre>\n<\/div>\n
Install Dovecot<\/h4>\n
Install Dovecot, start and enable services at boot.<\/p>\n
\n
[root@mail ~]# yum install dovecot\n[root@mail ~]# systemctl enable dovecot\n[root@mail ~]# systemctl start dovecot<\/code><\/pre>\n<\/div>\n
Install MariaDB<\/h4>\n
Install MariaDB, start and enable services at boot.<\/p>\n
\n
[root@mail ~]# yum install mariadb mariadb-server mariadb-backup boost-program-options\n[root@mail ~]# systemctl enable mariadb\n[root@mail ~]# systemctl start mariadb<\/code><\/pre>\n<\/div>\n
Install Apache<\/h4>\n
Install Apache, start and enable services at boot.<\/p>\n
\n
[root@mail ~]# yum install httpd mod_ssl\n[root@mail ~]# systemctl enable httpd\n[root@mail ~]# systemctl start httpd<\/code><\/pre>\n<\/div>\n
Install BIND<\/h4>\n
Install BIND, start and enable services at boot.<\/p>\n
\n
[root@mail ~]# yum install bind bind-utils\n[root@mail ~]# systemctl enable named\n[root@mail ~]# systemctl start named<\/code><\/pre>\n<\/div>\n
Install Utilities<\/h4>\n
Install utilities i like to use.<\/p>\n
\n
[root@mail ~]# yum install mailx\n[root@mail ~]# yum install dos2linux
[root@mail ~]# yum install fetchmail<\/code><\/pre>\n<\/div>\n
SSL<\/h3>\n
Create required directories.<\/p>\n
\n
[root@mail ~]# mkdir \/etc\/pki\/tls\/certs\/2021\n[root@mail ~]# cd \/etc\/pki\/tls\/certs\/2021\n[root@mail ~]# mkdir cert; mkdir crl; mkdir inter; mkdir key<\/code><\/pre>\n<\/div>\n
Transfer your certificate files to the previously created directories (you’ll notice that we have two files of the private key – one is for sendmail only because the sendmail-key requires a special mode).<\/p>\n
\n
[root@mail ~]# scp \/etc\/pki\/tls\/certs\/2021\/cert\/netcult.ch.pem root@10.0.1.33:\/etc\/pki\/tls\/certs\/2021\/cert\/\n[root@mail ~]# scp \/etc\/pki\/tls\/certs\/2021\/cert\/netcult.ch.sendmail.pem root@10.0.1.33:\/etc\/pki\/tls\/certs\/2021\/cert\/\n[root@mail ~]# scp \/etc\/pki\/tls\/certs\/2021\/crl\/dvcasha2.crl root@10.0.1.33:\/etc\/pki\/tls\/certs\/2021\/crl\/\n[root@mail ~]# scp \/etc\/pki\/tls\/certs\/2021\/inter\/inter.pem root@10.0.1.33:\/etc\/pki\/tls\/certs\/2021\/inter\/\n[root@mail ~]# scp \/etc\/pki\/tls\/certs\/2021\/key\/netcult.ch.sendmail.key root@10.0.1.33:\/etc\/pki\/tls\/certs\/2021\/key\/\n[root@mail ~]# scp \/etc\/pki\/tls\/certs\/2021\/key\/netcult.ch.key root@10.0.1.33:\/etc\/pki\/tls\/certs\/2021\/key\/<\/code><\/pre>\n<\/div>\n
Protect the private key of sendmail as sendmail checks the mode of the private key.<\/p>\n
\n
[root@mail ~]# chmod 600 \/etc\/pki\/tls\/certs\/2021\/key\/netcult.ch.sendmail.key<\/code><\/pre>\n<\/div>\n
Verify the contents and the permissions of the certifiacte files<\/p>\n
\n
[root@mail ~]# cd \/etc\/pki\/tls\/certs\/2021\/crl\/\n[root@mail ~]# ll\n-rw-r--r-- 1 root root 174780 May 13 13:45 dvcasha2.crl\n\n[root@mail ~]# cd \/etc\/pki\/tls\/certs\/2021\/inter\/\n[root@mail ~]# ll\n-rw-r--r-- 1 root root 1754 May 26 14:30 inter.pem\n\n[root@mail ~]# cd \/etc\/pki\/tls\/certs\/2021\/key\/\n[root@mail ~]# ll\n-rw-r--r-- 1 root root 1704 May 27 15:21 netcult.ch.key\n-rw------- 1 root mail 1704 May 27 15:21 netcult.ch.sendmail.key<\/code><\/pre>\n<\/div>\n
Sendmail<\/h3>\n
Create sendmail configuration, only differences from the default configuration are documented.<\/p>\n
\n
[root@mail ~]# vi \/etc\/mail\/sendmail.mc\n\ndnl # default logging level is 9, you might want to set it higher to\ndnl # debug the configuration.\ndnl #\ndefine(`confLOG_LEVEL', `14')dnl\n(..)\ndefine(`confAUTH_OPTIONS', `A')dnl\ndnl #\ndnl # The following allows relaying if the user authenticates, and disallows\ndnl # plaintext authentication (PLAIN\/LOGIN) on non-TLS links\ndnl #\ndnl define(`confAUTH_OPTIONS', `A p')dnl\ndnl #\ndnl # which realm to use in SASL database (sasldb2)\ndnl #\ndefine(`confAUTH_REALM', `mail')dnl\ndnl #\ndnl # PLAIN is the preferred plaintext authentication method and used by\ndnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do\ndnl # use LOGIN. Other mechanisms should be used if the connection is not\ndnl # guaranteed secure.\ndnl # Please remember that saslauthd needs to be running for AUTH.\ndnl #\ndnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl\ndnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl\ndefine(`confAUTH_MECHANISMS',`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl\nTRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl\n(..)\ndnl #\ndnl # Basic sendmail TLS configuration with self-signed certificate for\ndnl # inbound SMTP (and also opportunistic TLS for outbound SMTP).\ndnl #\ndefine(`confCACERT_PATH',`\/etc\/pki\/tls\/certs')\ndefine(`confCACERT',`\/etc\/pki\/tls\/certs\/ca-bundle.trust.crt')\ndefine(`confSERVER_CERT',`\/etc\/pki\/tls\/certs\/2021\/cert\/netcult.ch.sendmail.pem')\ndefine(`confSERVER_KEY',`\/etc\/pki\/tls\/certs\/2021\/key\/netcult.ch.sendmail.key')\ndefine(`confCRL',`\/etc\/pki\/tls\/certs\/2021\/crl\/dvcasha2.crl')\ndefine(`confTLS_SRV_OPTIONS', `V')dnl\nLOCAL_CONFIG\ndnl # Do not allow weak SSL\/TLS protocols and cipher algorythms\nO CipherList=HIGH:!ADH-DES-CBC3-SHA:!ADH-AES128-SHA:!ADH-AES256-SHA:!ADH-CAMELLIA128-SHA:!ADH-CAMELLIA256-SHA:!DH-AES128-SHA256:!DH-AES256-SHA256:!aNULL:!DES:!3DES:!MD5:!DES+MD5:!RC4\nO ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3 +SSL_OP_CIPHER_SERVER_PREFERENCE\nO ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3\n(..)\ndnl # For this to work your OpenSSL certificates must be configured.\ndnl #\nDAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl\n(..)\ndnl #\ndnl # The following causes sendmail to only listen on the IPv4 loopback address\ndnl # 127.0.0.1 and not on any other network devices. Remove the loopback\ndnl # address restriction to accept email from the internet or intranet.\ndnl #\nDAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA')dnl\ndnl #\ndnl # The following causes sendmail to additionally listen to port 587 for\ndnl # mail from MUAs that authenticate. Roaming users who can't reach their\ndnl # preferred sendmail daemon due to port 25 being blocked or redirected find\ndnl # this useful.\ndnl #\nDAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl\ndnl #\ndnl # The following causes sendmail to additionally listen to port 465, but\ndnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed\ndnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't\ndnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS\ndnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps\ndnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.\ndnl #\ndnl # For this to work your OpenSSL certificates must be configured.\ndnl #\nDAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl\n(..)\ndnl # Add some dns blacklist checks\ndnl #\ndnl # Disabled blackist sites\ndnl # FEATURE(`dnsbl',`sbl-xbl.spamhaus.org')dnl\ndnl # FEATURE(`dnsbl',`bl.spamcop.net')dnl\ndnl # FEATURE(`dnsbl',`cbl.abuseat.org')dnl\ndnl # FEATURE(`dnsbl',`dnsbl.justspam.org')dnl\ndnl # FEATURE(`dnsbl',`bl.0spam.org')dnl\ndnl # FEATURE(`dnsbl',`url.0spam.org')dnl\ndnl # FEATURE(`dnsbl',`ix.dnsbl.manitu.net')dnl\ndnl # FEATURE(`dnsbl',`zen.spamhaus.org')dnl\ndnl # FEATURE(`dnsbl',`dnsbl.sorbs.net')dnl\ndnl # FEATURE(`dnsbl',`relays.ordb.org')dnl\n(..)\nMAILER(smtp)dnl\nMAILER(procmail)dnl\ndnl MAILER(cyrusv2)dnl\ndnl #\ndnl # Add OpenDKIM for Sendmail listening on TCP Port 8891 on localhost\ndnl #\nINPUT_MAIL_FILTER(`opendkim', `S=inet:8891@localhost')<\/code><\/pre>\n<\/div>\n
Create sendmail configuration file and apply changes.<\/p>\n
\n
[root@mail ~]# \/etc\/mail\/make\n[root@mail ~]# systemctl restart sendmail<\/code><\/pre>\n<\/div>\n
Procmail<\/h3>\n
Create procmail configuration. Find below our procmailrc configuration file. It will filter out all mails marked as spam by spamassassin and those marked mails will be moved to the users \/Spam folder.<\/p>\n
\n
[root@mail ~]# vi \/etc\/procmailrc\n\n# \/etc\/procmailrc\n# Procmail configuration provided by thuinformatik GmbH\n\n# Set variables\nLOGFILE=\/var\/log\/procmail.log\nSPAMASSASSIN=\/usr\/bin\/spamc\nLOCKFILESPAMC=$HOME\/.spamclock\nLOCKFILEPROCM=$HOME\/.proclock\nDROPPRIVS=yes\n\n# Pass emails through SpamAssassin and set X-Spam-Status flag by spamc\n:0fw: $LOCKFILESPAMC\n| $SPAMASSASSIN\n\n# Pick emails with X-Spam-Status flag and move it over to users spamfolder\n:0: $LOCKFILEPROCM\n* ^X-Spam-Status: Yes\n$HOME\/mail\/Spam\n\n# Pick emails with X-Spam-Status flag and move it over to users spamfolder\n:0: $LOCKFILEPROCM\n* ^X-SPAM-LEVEL: Spam detection results\n$HOME\/mail\/Spam<\/code><\/pre>\n<\/div>\n
Hint: After the configuration of webmin\/usermin, users can create their own rules via ~\/.procmailrc.<\/p>\n
Spamassassin<\/h3>\n
Create global Spamassassin configuration, only differences from the default configuration are documented.<\/p>\n
\n
[root@mail ~]# vi \/etc\/mail\/spamassassin\/local.cf\n\n# These values can be overridden by editing ~\/.spamassassin\/user_prefs.cf\n# (see spamassassin(1) for details)\n\n# Custom rules\nheader CONTAINS_SUBJECT Subject =~\/viagra, Cialix Pills, sex, xxx, penis, pussy, greekajob, greekajobs,\nbody CONTAINS_PEN\/viagra, sex, xxx, penis, puss, greekajob, greekajobs, perazdera\/\n\n# How many hits before a message is considered spam (default: 3.5)\nrequired_score 3.5\n\n# Score definition\nscore URIBL_BLOCKED (0) (0) (0) (0)\nscore URIBL_BLACK (3) (3) (3) (3)\nscore URIBL_GREY (2) (2) (2) (2)\nscore URIBL_RED (1) (1) (1) (1)\nscore URIBL_ABUSE_SURBL (3) (3) (3) (3)\nscore URIBL_DBL_SPAM (5.5) (5.5) (5.5) (5.5)\nscore DKIM_VALID_AU (-2) (-2) (-2) (-2)\n#score DKIM_SIGNED (-2) (-2) (-2) (-2)\nscore DKIM_VALID (-2.5) (-2.5) (-2.5) (-2.5)\nscore SPF_PASS (-2.5) (-2.5) (-2.5) (-2.5)\n#score SPF_NONE (2) (2) (2) (2)\n#score SPF_HELO_NONE (2) (2) (2) (2)\n#score SPF_FAIL (2) (2) (2) (2)\nscore RCVD_IN_DNSWL_LOW (-0.1) (-0.1) (-0.1) (-0.1)\nscore RCVD_IN_DNSWL_MED (-0.7) (-0.7) (-0.7) (-0.7)\nscore RCVD_IN_DNSWL_HI (-1.3) (-1.3) (-1.3) (-1.3)\nscore T_KAM_HTML_FONT_INVALID (0.5) (0.5) (0.5) (0.5)\nscore LOTS_OF_MONEY (4) (4) (4) (4)\nscore ALL_TRUSTED (-6) (-6) (-6) (-6)\nscore MISSING_HEADERS (5) (5) (5) (5)\nscore SENDGRID_REDIR (1) (1) (1) (1)\n\n# Scores for custom rules\nscore CONTAINS_SUBJECT (5) (5) (5) (5)\nscore CONTAINS_BODY (5) (5) (5) (5)\ndescribe CONTAINS_SUBJECT Bad Word\ndescribe CONTAINS_BODY Bad Word\n\n# Change the subject of suspected spam\nrewrite_header subject *SPAM* (Stage 2) -\n\n# Encapsulate spam in an attachment (0=no, 1=yes, 2=safe)\nreport_safe 1\n\nclear_report_template\nreport Potential Spam\nreport =======================================\nreport\nreport This incoming message was classified as potential spam.\nreport\nreport Please find the original message attached.\nreport\nreport In case this is false\/positive, please read our technical information here:\nreport https:\/\/www.netcult.ch\/techinfo.cfm\nreport\nreport Message preview\nreport =======================================\nreport\nreport _PREVIEW_\nreport\nreport Scores\nreport =======================================\nreport\nreport Date: _DATE_\nreport Hostname: _HOSTNAME_\nreport\nreport Is Spam: _YESNO_\nreport Stars: _STARS(*)_\nreport Bayes score: _BAYES_\nreport Total score: _SCORE(PAD)_\nreport Threshold: _REQD_\nreport\nreport Autolearn: _AUTOLEARN_\nreport Required by autolearn: _AUTOLEARNSCORE_\nreport\nreport Report\nreport =======================================\nreport\nreport Languages: _LANGUAGES_\nreport DCCR: _DCCR_\nreport PYZOR: _PYZOR_\nreport\nreport RBL\nreport =======================================\nreport\nreport _RBL_\nreport\nreport Summary\nreport =======================================\nreport\nreport _SUMMARY_\nreport\nreport =======================================\n\n# Print or delete x-spam parts\n# clear_headers\n\n# Use terse version of the spam report\n# use_terse_report 0\n\n# Clear notification related to unsafe attachements\nclear_unsafe_report_template\n\n# Enable the Bayes system\nuse_bayes 1\n\n# Enable Bayes auto-learning\nbayes_auto_learn 1\n\n# Enable or disable network checks\nskip_rbl_checks 0\nuse_razor2 1\n\n# DCC\nloadplugin Mail::SpamAssassin::Plugin::DCC\nuse_dcc 1\ndcc_path \/usr\/bin\/dccproc\ndcc_dccifd_path \/usr\/libexec\/dcc\/dccifd\nfull DCC_CHECK eval:check_dcc()\nuse_pyzor 1\n\n# Mail using languages used in these country codes will not be marked\n# as being possibly spam in a foreign language.\n# - english german\n# ok_languages en de\n\n# Mail using locales used in these country codes will not be marked\n# as being possibly spam in a foreign language.\n# ok_locale en\n\n# Show detailed phrase score\n# detailed_phrase_score is from the old static phrase list code that dissapeared\n# when bayes was added in spamassassin 2.50. (Bayes is a dynamic trainable version\n# of this concept so anything from the old phrases code instantly obsolete)\n# detailed_phrase_score 1\n\n# Whitelist some safe senders\nwhitelist_from some@email.com\nwhitelist_from another@email.com<\/code><\/pre>\n<\/div>\n
Hint: After the configuration of webmin\/usermin, users can create their own rules via ~\/.spamassassin\/user_prefs.cf.<\/p>\n
Activate older SpamAssassins plugins by removing the remarks (#) in the following files.<\/p>\n
\n
[root@mail ~]# vi \/etc\/mail\/spamassassin\/v310.pre\n[root@mail ~]# vi \/etc\/mail\/spamassassin\/v320.pre\n[root@mail ~]# vi \/etc\/mail\/spamassassin\/v312.pre\n[root@mail ~]# vi \/etc\/mail\/spamassassin\/v330.pre\n[root@mail ~]# vi \/etc\/mail\/spamassassin\/v340.pre\n[root@mail ~]# vi \/etc\/mail\/spamassassin\/v341.pre\n[root@mail ~]# vi \/etc\/mail\/spamassassin\/v342.pre\n[root@mail ~]# vi \/etc\/mail\/spamassassin\/v343.pre<\/code><\/pre>\n<\/div>\n
Following changes will be documented:<\/p>\n
\n
-------------------------------------------------------------------------\n\/etc\/mail\/spamassassin\/v310.pre\n-------------------------------------------------------------------------\n# DCC - perform DCC message checks.\n#\n# DCC is disabled here because it is not open source. See the DCC\n# license for more details.\n#\nloadplugin Mail::SpamAssassin::Plugin::DCC\n\n# AWL - do auto-whitelist checks\n#\nloadplugin Mail::SpamAssassin::Plugin::AWL\n\n# TextCat - language guesser\n#\nloadplugin Mail::SpamAssassin::Plugin::TextCat<\/code><\/pre>\n<\/div>\n
\n
-------------------------------------------------------------------------\n\/etc\/mail\/spamassassin\/v312.pre\n-------------------------------------------------------------------------\n<no changes keeping the default><\/code><\/pre>\n<\/div>\n
\n
-------------------------------------------------------------------------\n\/etc\/mail\/spamassassin\/v320.pre\n-------------------------------------------------------------------------\n<no changes keeping the default><\/code><\/pre>\n<\/div>\n
\n
-------------------------------------------------------------------------\n\/etc\/mail\/spamassassin\/v330.pre\n-------------------------------------------------------------------------\n# PhishTag - allows sites to rewrite suspect phish-mail URLs\n# (Note: this requires configuration, see http:\/\/umut.topkara.org\/PhishTag)\n#\nloadplugin Mail::SpamAssassin::Plugin::PhishTag<\/code><\/pre>\n<\/div>\n
\n
-------------------------------------------------------------------------\n\/etc\/mail\/spamassassin\/v340.pre\n-------------------------------------------------------------------------\n<no changes keeping the default><\/code><\/pre>\n<\/div>\n
\n
-------------------------------------------------------------------------\n\/etc\/mail\/spamassassin\/v341.pre\n-------------------------------------------------------------------------\n# TxRep - Reputation database that replaces AWL\nloadplugin Mail::SpamAssassin::Plugin::TxRep\n\n# PDFInfo - Use several methods to detect a PDF file's ham\/spam traits\nloadplugin Mail::SpamAssassin::Plugin::PDFInfo<\/code><\/pre>\n<\/div>\n
\n
-------------------------------------------------------------------------\n\/etc\/mail\/spamassassin\/v342.pre\n-------------------------------------------------------------------------\n# HashBL - Query hashed\/unhashed strings, emails, uris etc from DNS lists\nloadplugin Mail::SpamAssassin::Plugin::HashBL\n\n# FromNameSpoof - help stop spam that tries to spoof other domains using\n# the from name\nloadplugin Mail::SpamAssassin::Plugin::FromNameSpoof\n\n# Phishing - finds uris used in phishing campaigns detected by\n# OpenPhish or PhishTank feeds.<\/code><\/pre>\n<\/div>\n
\n
-------------------------------------------------------------------------\n\/etc\/mail\/spamassassin\/v343.pre\n-------------------------------------------------------------------------\n# OLEVBMacro - Detects both OLE macros and VB code inside Office documents\n#\n# It tries to discern between safe and malicious code but due to the threat\n# macros present to security, many places block these type of documents outright.\n#\n# For this plugin to work, Archive::Zip and IO::String modules are required.\nloadplugin Mail::SpamAssassin::Plugin::OLEVBMacro\n\nloadplugin Mail::SpamAssassin::Plugin::Phishing<\/code><\/pre>\n<\/div>\n
Apply changes by restarting Spamassassin<\/p>\n
\n
[root@mail ~]# systemctl restart spamassassin<\/code><\/pre>\n<\/div>\n
Configure crontab to keep Spamassassin up to date and learn from your users Spam folder within their mailbox<\/p>\n
\n
[root@mail ~]# crontab -e\n\n# daily spam autolearn-on\n30 * * * * sa-learn --spam --mbox \/home\/thomas\/mail\/Spam\n30 * * * * sa-learn --spam --mbox \/var\/spool\/mail\/spam\n30 7 * * * sa-learn --ham --mbox \/var\/spool\/mail\/thomas\n30 * * * * sa-learn --spam --mbox \/home\/somedomain.ch\/mail\/Spam\n30 7 * * * sa-learn --ham --mbox \/var\/spool\/mail\/somedomain.ch\n\n# daily spamassassin update\n30 7 * * * date >> \/var\/log\/spamassassin_sa-update.log ; sa-update -v >> \/var\/log\/spamassassin_sa-update.log ; \/bin\/systemctl restart spamassassin.service ; echo Spamassassin restarted >> \/var\/log\/spamassassin_sa-update.log<\/code><\/pre>\n<\/div>\n
Test the daily spamassassin update<\/p>\n
\n
[root@mail ~]# date >> \/var\/log\/spamassassin_sa-update.log ; sa-update -v >> \/var\/log\/spamassassin_sa-update.log ; \/bin\/systemctl restart spamassassin.service ; echo Spamassassin restarted >> \/var\/log\/spamassassin_sa-update.log; cat \/var\/log\/spamassassin_sa-update.log\n
Sat Jul 3 14:08:40 CEST 2021\nUpdate available for channel updates.spamassassin.org: -1 -> 1891178\nhttp: (curl) GET http:\/\/spamassassin.apache.org\/updates\/MIRRORED.BY, success\nhttp: (curl) GET http:\/\/sa-update.ena.com\/1891178.tar.gz, success\nhttp: (curl) GET http:\/\/sa-update.ena.com\/1891178.tar.gz.sha512, success\nhttp: (curl) GET http:\/\/sa-update.ena.com\/1891178.tar.gz.asc, success\nUpdate was available, and was downloaded and installed successfully\nSpamassassin restarted<\/code><\/pre>\n<\/div>\n
DCC<\/h3>\n
Install Distributed Checksum Clearinghouse (DCC) from the cheese-release repo.<\/p>\n
http:\/\/www.nosuchhost.net\/~cheese\/fedora\/packages\/epel-8\/x86_64\/cheese-release.html<\/a><\/p>\n
\n
[root@mail ~]# wget http:\/\/www.nosuchhost.net\/~cheese\/fedora\/packages\/epel-8\/x86_64\/cheese-release-8-1.el8.noarch.rpm\n[root@mail ~]# yum install cheese-release-8-1.el8.noarch.rpm\n[root@mail ~]# yum install dcc<\/code><\/pre>\n<\/div>\n
Dovecot<\/h3>\n
Create dovecot configuration, only differences from the default configuration are documented<\/p>\n
\n
-------------------------------------------------------------------------\n[root@mail ~]# vi \/etc\/dovecot\/dovecot.conf\n-------------------------------------------------------------------------\n# Protocols we want to be serving.\n# Default value: protocols = imap pop3 lmtp submission\nprotocols = imap pop3 lmtp\n\n# Access for Dovecot process to home directories.\nmail_privileged_group = mail\nmail_access_groups = mail\n\n# Greeting message for clients.\n# Default value: login_greeting = Dovecot ready.\nlogin_greeting = Dovecot at thuinformatik GmbH ready.<\/code><\/pre>\n<\/div>\n
\n
-------------------------------------------------------------------------\n[root@mail ~]# vi \/etc\/dovecot\/conf.d\/10-auth.conf\n-------------------------------------------------------------------------\n# Disable LOGIN command and all other plaintext authentications unless\n# SSL\/TLS is used (LOGINDISABLED capability). Note that if the remote IP\n# matches the local IP (ie. you're connecting from the same computer), the\n# connection is considered secure and plaintext authentication is allowed.\n# See also ssl=required setting.\n# Default value: disable_plaintext_auth = yes\ndisable_plaintext_auth = no\n\n# Username character translations before it's looked up from databases. The\n# value contains series of from -> to characters. For example \"#@\/@\" means\n# that '#' and '\/' characters are translated to '@'.\nauth_username_translation = @.\n\n# Space separated list of wanted authentication mechanisms:\n# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey\n# gss-spnego\n# NOTE: See also disable_plaintext_auth setting.\n# Default value: auth_mechanisms = plain\nauth_mechanisms = plain login<\/code><\/pre>\n<\/div>\n
\n
-------------------------------------------------------------------------\n[root@mail ~]# vi \/etc\/dovecot\/conf.d\/10-director.conf\n-------------------------------------------------------------------------\n<no changes, keep the default><\/code><\/pre>\n<\/div>\n
\n
-------------------------------------------------------------------------\n[root@mail ~]# vi \/etc\/dovecot\/conf.d\/10-logging.conf\n-------------------------------------------------------------------------\n# Log unsuccessful authentication attempts and the reasons why they failed.\n# Default value: auth_verbose = no\nauth_verbose = yes<\/code><\/pre>\n<\/div>\n
Hint: Dovecot points the “mail_location” to the user home directory by default but sendmail stores the inbox files at \/var\/spool\/mail\/. To use the traditional sendmail structure, point the “mail_location” to the correct patch.<\/span><\/p>\n
\n
-------------------------------------------------------------------------\n[root@mail ~]# vi \/etc\/dovecot\/conf.d\/10-mail.conf\n-------------------------------------------------------------------------\n# Location for users' mailboxes. The default is empty, which means that Dovecot\n# tries to find the mailboxes automatically. This won't work if the user\n# doesn't yet have any mail, so you should explicitly tell Dovecot the full\n# location.\n#\n# If you're using mbox, giving a path to the INBOX file (eg. \/var\/mail\/%u)\n# isn't enough. You'll also need to tell Dovecot where the other mailboxes are\n# kept. This is called the \"root mail directory\", and it must be the first\n# path given in the mail_location setting.\n#\n# There are a few special variables you can use, eg.:\n#\n# %u - username\n# %n - user part in user@domain, same as %u if there's no domain\n# %d - domain part in user@domain, empty if there's no domain\n# %h - home directory\n#\n# See doc\/wiki\/Variables.txt for full list. Some examples:\n#\n# mail_location = maildir:~\/Maildir\n# mail_location = mbox:~\/mail:INBOX=\/var\/mail\/%u\n# mail_location = mbox:\/var\/mail\/%d\/%1n\/%n:INDEX=\/var\/indexes\/%d\/%1n\/%n\n#\n# <doc\/wiki\/MailLocation.txt>\n#\n# Default value: mail_location =\nmail_location = mbox:~\/mail:INBOX=\/var\/mail\/%u\n\n# Valid UID range for users, defaults to 500 and above. This is mostly\n# to make sure that users can't log in as daemons or other system users.\n# Note that denying root logins is hardcoded to dovecot binary and can't\n# be done even if first_valid_uid is set to 0.\nfirst_valid_uid = 1000\n#last_valid_uid = 0<\/code><\/pre>\n<\/div>\n
\n
-------------------------------------------------------------------------\n[root@mail ~]# vi \/etc\/dovecot\/conf.d\/10-master.conf\n-------------------------------------------------------------------------\n<no changes, keep the default><\/code><\/pre>\n<\/div>\n
\n
-------------------------------------------------------------------------\n[root@mail ~]# vi \/etc\/dovecot\/conf.d\/10-ssl.conf\n-------------------------------------------------------------------------\n# SSL\/TLS support: yes, no, required. <doc\/wiki\/SSL.txt>\n# disable plain pop3 and imap, allowed are only pop3+TLS, pop3s, imap+TLS and imaps\n# plain imap and pop3 are still allowed for local connections\n# Default value: ssl = required\nssl = yes\n\n# PEM encoded X.509 SSL\/TLS certificate and private key. They're opened before\n# dropping root privileges, so keep the key file unreadable by anyone but\n# root. Included doc\/mkcert.sh can be used to easily generate self-signed\n# certificate, just make sure to update the domains in dovecot-openssl.cnf\n# Default value: ssl_cert = <\/etc\/pki\/dovecot\/certs\/dovecot.pem\n# Default value: ssl_key = <\/etc\/pki\/dovecot\/private\/dovecot.pem\nssl_cert = <\/etc\/pki\/tls\/certs\/2021\/cert\/netcult.ch.pem\nssl_key = <\/etc\/pki\/tls\/certs\/2021\/key\/netcult.ch.key\n\n# PEM encoded trusted certificate authority. Set this only if you intend to use\n# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)\n# followed by the matching CRL(s). (e.g. ssl_ca = <\/etc\/pki\/dovecot\/certs\/ca.pem)\n# Default value: ssl_ca =\nssl_ca = <\/etc\/pki\/tls\/certs\/2021\/inter\/inter.pem\n\n# SSL protocols to use\n# Default vallue: ssl_protocols = !SSLv3\nssl_protocols = !SSLv2 !SSLv3\n\n# SSL ciphers to use, the default is:\n#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH\n# To disable non-EC DH, use:\n#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH\n# Default value: ssl_cipher_list = PROFILE=SYSTEM\nssl_cipher_list=HIGH:!ADH-DES-CBC3-SHA:!ADH-AES128-SHA:!ADH-AES256-SHA:!ADH-CAMELLIA128-SHA:!ADH-CAMELLIA256-SHA:!DH-AES128-SHA256:!DH-AES256-SHA256:!aNULL:!DES:!3DES:!MD5:!DES+MD5:!RC4<\/code><\/pre>\n<\/div>\n
\n
-------------------------------------------------------------------------\n[root@mail ~]# vi \/etc\/dovecot\/conf.d\/15-lda.conf\n-------------------------------------------------------------------------\n<no changes, keep the default><\/code><\/pre>\n<\/div>\n
\n
-------------------------------------------------------------------------\n[root@mail ~]# vi \/etc\/dovecot\/conf.d\/15-mailboxes.conf\n-------------------------------------------------------------------------\n<no changes, keep the default><\/code><\/pre>\n<\/div>\n
\n
-------------------------------------------------------------------------\n[root@mail ~]# vi \/etc\/dovecot\/conf.d\/20-imap.conf\n-------------------------------------------------------------------------\n<no changes, keep the default><\/code><\/pre>\n<\/div>\n
\n
-------------------------------------------------------------------------\n[root@mail ~]# vi \/etc\/dovecot\/conf.d\/20-lmtp.conf\n-------------------------------------------------------------------------\n<no changes, keep the default><\/code><\/pre>\n<\/div>\n
\n
-------------------------------------------------------------------------\n[root@mail ~]# vi \/etc\/dovecot\/conf.d\/20-pop3.conf\n-------------------------------------------------------------------------\n<no changes, keep the default><\/code><\/pre>\n<\/div>\n
\n
-------------------------------------------------------------------------\n[root@mail ~]# vi \/etc\/dovecot\/conf.d\/20-submission.conf\n-------------------------------------------------------------------------\n<no changes, keep the default><\/code><\/pre>\n<\/div>\n
\n
-------------------------------------------------------------------------\n[root@mail ~]# vi \/etc\/dovecot\/conf.d\/90-acl.conf\n-------------------------------------------------------------------------\n<no changes, keep the default><\/code><\/pre>\n<\/div>\n
\n
-------------------------------------------------------------------------\n[root@mail ~]# vi \/etc\/dovecot\/conf.d\/90-plugin.conf\n-------------------------------------------------------------------------\n<no changes, keep the default><\/code><\/pre>\n<\/div>\n
\n
-------------------------------------------------------------------------\n[root@mail ~]# vi \/etc\/dovecot\/conf.d\/90-quota.conf\n-------------------------------------------------------------------------\n<no changes, keep the default><\/code><\/pre>\n<\/div>\n
\n
-------------------------------------------------------------------------\n[root@mail ~]# vi \/etc\/dovecot\/conf.d\/auth-checkpassword.conf.ext\n[root@mail ~]# vi \/etc\/dovecot\/conf.d\/auth-deny.conf.ext\n[root@mail ~]# vi \/etc\/dovecot\/conf.d\/auth-dict.conf.ext\n[root@mail ~]# vi \/etc\/dovecot\/conf.d\/auth-ldap.conf.ext\n[root@mail ~]# vi \/etc\/dovecot\/conf.d\/auth-master.conf.ext\n[root@mail ~]# vi \/etc\/dovecot\/conf.d\/auth-passwdfile.conf.ext\n[root@mail ~]# vi \/etc\/dovecot\/conf.d\/auth-sql.conf.ext\n[root@mail ~]# vi \/etc\/dovecot\/conf.d\/auth-static.conf.ext\n[root@mail ~]# vi \/etc\/dovecot\/conf.d\/auth-system.conf.ext\n[root@mail ~]# vi \/etc\/dovecot\/conf.d\/auth-vpopmail.conf.ext\n-------------------------------------------------------------------------\n<no changes, keep the default><\/code><\/pre>\n<\/div>\n
Apply all changes by restarting dovecot<\/p>\n
\n
[root@mail ~]# systemctl restart dovecot<\/code><\/pre>\n<\/div>\n
Administrator user configuration<\/h3>\n
Set the user group ID 100 for the user administrator.<\/p>\n
\n
[root@mail ~]# vi \/etc\/passwd\nadministrator:x:1000:100:Administrator:\/home\/administrator:\/bin\/bash<\/code><\/pre>\n<\/div>\n
Make home directories accessible for the users group:<\/p>\n
\n
[root@mail ~]# chown -R :users \/var\/spool\/mail\/\n[root@mail ~]# chown -R :users \/home\/<\/code><\/pre>\n<\/div>\n
Just to be sure: apply changes by restarting dovecot and sasl<\/p>\n
\n
[root@mail ~]# systemctl restart dovecot\n[root@mail ~]# systemctl restart saslauthd<\/code><\/pre>\n<\/div>\n
Basic mailtests<\/h3>\n
Try to send an email with the administrator user created during the installation. Verify if the mailfow works as exptected.<\/p>\n
\n
[root@mail ~]# su administrator\n[administrator@mail root]$ cat \/etc\/redhat-release | mail -s \"Fedora Release\" administrator@mail.yourhostname.ch<\/code><\/pre>\n<\/div>\n
Verify the email has arrived<\/p>\n
\n
[administrator@mail root]$ cat \/var\/mail\/administrator\nFrom administrator@mail.netcult.ch Sat Jul 3 15:58:23 2021\nReturn-Path: <administrator@mail.yourhostname.ch>\nX-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on mail.yourhostname.ch\nX-Spam-Level:\nX-Spam-Status: No, score=-7.0 required=3.5 tests=ALL_TRUSTED autolearn=ham\nautolearn_force=no version=3.4.4\nReceived: from mail.yourhostname.ch (localhost [127.0.0.1])\nby mail.yourhostname.ch (8.15.2\/8.15.2) with ESMTPS id 163DwNpD700072\n(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT)\nfor <administrator@mail.yourhostname.ch>; Sat, 3 Jul 2021 15:58:23 +0200\nReceived: (from administrator@localhost)\nby mail.yourhostname.ch (8.15.2\/8.15.2\/Submit) id 163DwN0a700071\nfor administrator@mail.netcult.ch; Sat, 3 Jul 2021 15:58:23 +0200\nFrom: General Administrator <administrator@mail.yourhostname.ch>\nMessage-Id: <202107031358.163DwN0a700071@mail.yourhostname.ch>\nDate: Sat, 03 Jul 2021 15:58:23 +0200\nTo: administrator@mail.yourhostname.ch\nSubject: Fedora Release\nUser-Agent: Heirloom mailx 12.5 7\/5\/10\nMIME-Version: 1.0\nContent-Type: text\/plain; charset=us-ascii\nContent-Transfer-Encoding: 7bit\n\nRocky Linux release 8.4 (Green Obsidian)<\/code><\/pre>\n<\/div>\n
OpenDKIM<\/h3>\n
We have documented the installation of OpenDKIM<\/a> in one of our previous blog posts.<\/p>\n
Make sure the service will be started automatically after the host reboots.<\/p>\n
\n
[root@mail ~]# systemctl enable opendkim.service
[root@mail ~]# systemctl start opendkim.service<\/code><\/pre>\n<\/div>\n
BIND configuration<\/h3>\n
We where not able to migrate the whole bind configuration from one host to the other. Instead of copying the running configuration we descided then to use a zone transfer to migrate our DNS zones from the old to the new server.<\/p>\n
Apache<\/h3>\n
Configure apache http server, only differences from the default configuration are documented.<\/p>\n
\n
[root@mail ~]# vi \/etc\/httpd\/conf.d\/ssl.conf\n\n# OCSP Stapling is a TLS extension that enables the web server\n# to cache Certificate Revocation status information and not\n# placing the onus on the web client to make the request directly\n# with the Certificate Authority (CA).\nSSLStaplingCache \"shmcb:\/var\/log\/stapling_cache(128000)\"\n\n# Pseudo Random Number Generator (PRNG):\n# Configure one or more sources to seed the PRNG of the\n# SSL library. The seed data should be of good random quality.\n# WARNING! On some platforms \/dev\/random blocks if not enough entropy\n# is available. This means you then cannot use the \/dev\/random device\n# because it would lead to very long connection times (as long as\n# it requires to make more entropy available). But usually those\n# platforms additionally provide a \/dev\/urandom device which doesn't\n# block. So, if available, use this one instead. Read the mod_ssl User\n# Manual for more details.\nSSLRandomSeed startup file:\/dev\/urandom 256\nSSLRandomSeed connect builtin\n#SSLRandomSeed startup file:\/dev\/random 512\n#SSLRandomSeed connect file:\/dev\/random 512\n#SSLRandomSeed connect file:\/dev\/urandom 512\n\n# SSL Protocol support:\n# List the enable protocol levels with which clients will be able to\n# connect. Disable SSLv2 access by default:\n# SSLProtocol all -SSLv2 -SSLv3\n# SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2\nSSLProtocol +TLSv1.2\n\n# User agents such as web browsers are not configured for the user's\n# own preference of either security or performance, therefore this\n# must be the prerogative of the web server administrator who manages\n# cpu load versus confidentiality, so enforce the server's cipher order.\nSSLHonorCipherOrder on\n\n# SSL Cipher Suite:\n# List the ciphers that the client is permitted to negotiate.\n# See the mod_ssl documentation for a complete list.\n# The OpenSSL system profile is configured by default. See\n# update-crypto-policies(8) for more details.\n#SSLCipherSuite PROFILE=SYSTEM\n#SSLProxyCipherSuite PROFILE=SYSTEM\nSSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA\nSSLProxyCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA\n\n# Point SSLCertificateFile at a PEM encoded certificate. If\n# the certificate is encrypted, then you will be prompted for a\n# pass phrase. Note that restarting httpd will prompt again. Keep\n# in mind that if you have both an RSA and a DSA certificate you\n# can configure both in parallel (to also allow the use of DSA\n# ciphers, etc.)\n# Some ECC cipher suites (http:\/\/www.ietf.org\/rfc\/rfc4492.txt)\n# require an ECC certificate which can also be configured in\n# parallel.\n#SSLCertificateFile \/etc\/pki\/tls\/certs\/localhost.crt\nSSLCertificateFile \/etc\/pki\/tls\/certs\/2021\/cert\/netcult.ch.pem\n\n# Server Private Key:\n# If the key is not combined with the certificate, use this\n# directive to point at the key file. Keep in mind that if\n# you've both a RSA and a DSA private key you can configure\n# both in parallel (to also allow the use of DSA ciphers, etc.)\n# ECC keys, when in use, can also be configured in parallel\n#SSLCertificateKeyFile \/etc\/pki\/tls\/private\/localhost.key\nSSLCertificateKeyFile \/etc\/pki\/tls\/certs\/2021\/key\/netcult.ch.key\n\n# Server Certificate Chain:\n# Point SSLCertificateChainFile at a file containing the\n# concatenation of PEM encoded CA certificates which form the\n# certificate chain for the server certificate. Alternatively\n# the referenced file can be the same as SSLCertificateFile\n# when the CA certificates are directly appended to the server\n# certificate for convenience.\n#SSLCertificateChainFile \/etc\/pki\/tls\/certs\/server-chain.crt\nSSLCertificateChainFile \/etc\/ssl\/certs\/2021\/inter\/inter.pem\n\n# Certificate Authority (CA):\n# Set the CA certificate verification path where to find CA\n# certificates for client authentication or alternatively one\n# huge file containing all of them (file must be PEM encoded)\n#SSLCACertificateFile \/etc\/pki\/tls\/certs\/ca-bundle.crt\nSSLCACertificateFile \/etc\/pki\/tls\/certs\/ca-bundle.crt<\/code><\/pre>\n<\/div>\n
Apply all changes by restarting apache<\/p>\n
\n
[root@mail ~]# systemctl restart httpd<\/code><\/pre>\n<\/div>\n
MariaDB<\/h3>\n
Configure mariadb server, only differences from the default configuration are documented.<\/p>\n
\n
[root@mail ~] vi \/etc\/my.cnf.d\/mariadb-server.cnf\n
# this is only for the mysqld standalone daemon
# Settings user and group are ignored when systemd is used.
# If you need to run mysqld under a different user or group,
# customize your systemd unit file for mysqld\/mariadb according to the
# instructions in http:\/\/fedoraproject.org\/wiki\/Systemd
[mysqld]
# Disabling symbolic-links is recommended to prevent assorted security risks\nsymbolic-links=0\n\n# default-time-zone=+02:00\n# Settings user and group are ignored when systemd is used.\n# If you need to run mysqld under a different user or group,\n# customize your systemd unit file for mariadb according to the\n# instructions in http:\/\/fedoraproject.org\/wiki\/Systemd\n\n# InnoDB is the default engine of mariaDB and after setting\n# these parameters all the tables will have their own .idb file on server.\n# Now the question arises how will it make MariaDB more efficient?\n# As all the operations performed on this table will use the I\/O of that single\n# .idb file and if you truncate that table you can reclaim that\n# space as the file against that table will be removed.\ninnodb_file_per_table=1\n\n# You can enable caching and indexing in MariaDB server by setting\n# the InnoDB buffer pool size parameter. The amount of memory you\n# want to dedicate solely depends upon the amount of RAM your server has.\n# If your server is dedicated for database then you can set the parameter\n# to 60 percent of your memory but if other services are running on\n#the same server then you should consider a different value.\ninnodb_buffer_pool_size = 2G\n\n# Every time a connection is opened its IP is resolved by DNS lookup;\n# which consumes some amount of time.\nskip-name-resolve\n\n# Query cache size is also an important parameter as it caches\n# all the queries which keep on repeating with same data.\n# For small websites your value should not exceed 64MB.\n# Increasing this value to GB\u2019s will decrease the performance instead of making it efficient.\nquery_cache_size = 64M\n\n# These parameters are set to avoid disk writes on your servers.\n# For efficient performance, both of these values should be same.\nmax_heap_table_size= 64M\ntmp_table_size= 64M\n\n# It is one of the best feature of MariaDB which allows the database developers\n# to improve the performance by checking the queries which are taking excessive time to execute.\nslow-query-log = 1\nslow-query-log-file = \/var\/log\/mariadb\/mariadb-slow.log\nlong_query_time = 1<\/code><\/pre>\n<\/div>\n
Apply all changes by restarting mariadb<\/p>\n
\n
[root@mail ~]# systemctl restart mariadb<\/code><\/pre>\n<\/div>\n
eGroupware<\/h3>\n
RHEL\/CentOS 8\/Rocky Linux 8 uses nftables instead of iptables, which does not work with current docker-ce. You need to configure firewalld to use iptables by editing \/etc\/firewalld\/firewalld.conf.<\/p>\n
\n
[root@mail ~]# vi \/etc\/firewalld\/firewalld.conf\n\n#FirewallBackend=nftables\nFirewallBackend=iptables\n\n[root@mail ~]# systemctl restart firewalld<\/code><\/pre>\n<\/div>\n
If installed, remove everything of podman and reboot your system afterwards<\/p>\n
\n
[root@mail ~]# yum remove podman runc pcp-pmda-podman\n[root@mail ~]# yum remove @container-tools\n[root@mail ~]# shutdown -r now<\/code><\/pre>\n<\/div>\n
Install Docker for Rocky Linux 8<\/p>\n
\n
[root@mail ~]# curl https:\/\/download.docker.com\/linux\/centos\/docker-ce.repo -o \/etc\/yum.repos.d\/docker-ce.repo\n[root@mail ~]# yum install --nobest docker-ce\n[root@mail ~]# systemctl enable docker\n[root@mail ~]# systemctl start docker\n[root@mail ~]# usermod -aG docker $USER<\/code><\/pre>\n<\/div>\n
Install eGroupware for Rocky Linux 8<\/p>\n
\n
[root@mail ~]# curl https:\/\/download.opensuse.org\/repositories\/server:\/eGroupWare\/CentOS_8\/server:eGroupWare.repo -o \/etc\/yum.repos.d\/server:eGroupWare.repo\n[root@mail ~]# yum install egroupware-docker egroupware-collabora-key egroupware-rocketchat<\/code><\/pre>\n<\/div>\n
Verify reverse proxy configuration in ssl.conf.<\/p>\n
\n
[root@mail ~]# cat \/etc\/httpd\/conf.d\/ssl.conf\n(..)\n# Collabora proxy needs to be included inside vhost\ninclude \/etc\/egroupware-collabora-key\/apache.conf\n<\/code><\/pre>\n
# EGroupware proxy needs to be included inside vhost\ninclude \/etc\/egroupware-docker\/apache.conf<\/code><\/pre>\n<\/div>\n
To make sure Docker starts after the host has booted up, we use the tc.local.<\/p>\n
\n
[root@mail keys]# cat \/etc\/rc.local\n#!\/bin\/bash\n# THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES\n#\n# It is highly advisable to create own systemd services or udev rules\n# to run scripts during boot instead of using this file.\n#\n# In contrast to previous versions due to parallel execution during boot\n# this script will NOT be run after all other services.\n#\n# Please note that you must run 'chmod +x \/etc\/rc.d\/rc.local' to ensure\n# that this script will be executed during boot.\n\ntouch \/var\/lock\/subsys\/local\n\n# Start docker containers ...\ncd \/etc\/egroupware-docker; docker-compose up -d<\/code><\/pre>\n<\/div>\n
User and data migration<\/h3>\n
Configure passwordless ssh authentication<\/h4>\n
We have documented passwordless ssh authentication<\/a> in one of our previous blog posts. Make sure you can access from the old to the new host and vice versa without needing the enter a password.<\/p>\n
Create folders to store migration data<\/h4>\n
Create those folders on the old and the new host<\/p>\n
\n
[root@mail ~]# mkdir \/root\/migration\n[root@mail ~]# mkdir \/root\/migration\/userdata<\/code><\/pre>\n<\/div>\n
Inital migration of mariadb<\/h4>\n
On the old host: Backup all mariadb databases.<\/p>\n
\n
[root@mail ~]# mysqldump --all-databases -u root -pYour_root_password > \/root\/migration\/mariadb_full.sql<\/code><\/pre>\n<\/div>\n
Transfer the backup to the new host.<\/p>\n
\n
[root@mail ~]# scp \/root\/migration\/mariadb_full.sql root@10.0.1.33:\/root\/migration\/<\/code><\/pre>\n<\/div>\n
On the new host: Load mariadb database backup.<\/p>\n
\n
[root@mail ~]# mysql -u root -p < \/root\/migration\/mariadb_full.sql\nEnter password:<\/code><\/pre>\n<\/div>\n
FLUSH PRIVILEGES (apply new user privileges)<\/p>\n
\n
[root@mail ~]# mysql -u root -p\nEnter password:
\nMariaDB [(none)]> FLUSH PRIVILEGES;\nMariaDB [(none)]> exit;<\/code><\/pre>\n<\/div>\n
Migrate eGroupware<\/h4>\n
Verify login with egroupware database user.<\/p>\n
\n
[root@mail ~]# mysql -u egroupware -p
Enter password:

<\/code><\/pre>\n<\/div>\n
Configure eGroupware to use the new hosts mariadb server.<\/p>\n
\n
[root@mail ~]# cd \/etc\/egroupware-docker\/\n[root@mail egroupware-docker]# vi docker-compose.override.yml<\/code><\/pre>\n<\/div>\n
Uncomment all marked ><\/span> lines (we would like to use the maridb server running on the host). Fee free to configure additional settings.<\/p>\n
\n
#########################################################################################\n###\n### docker-compose.override.yml file for egroupware-docker package\n###\n### Place all your modifications in this file, instead of \/etc\/egroupware-docker\/docker-compose.yml.\n###\n### If you want to make some modification \/ uncomment eg. some enviroment variables, you also have to:\n### - uncomment the service eg. \"egroupware:\", if not already uncommented like egroupware\n### - uncomment the \"environment:\" section of the service\n###\n### services:\n### egroupware:\n### environment:\n### - EGW_APC_SHM_SIZE=256M\n###\n### Please note: indention with space (NOT tabs!) matter in .yml files!\n###\n##########################################################################################\nversion: '3'\n\n#volumes:\n# EGroupware data stored in \/var\/lib\/egroupware on the host\n#data:\n# driver_opts:\n# type: none\n# o: bind\n# device: \/var\/lib\/egroupware\n\nservices:\negroupware:\n# egroupware images to use:\n# - egroupware\/egroupware: is the community edition of egroupware\n# - download.egroupware.org\/egroupware\/epl: is the EPL \/ subscription version of EGroupware GmbH\n# egroupware tags to use:\n# - latest: recommended is to use tag latest for automatic updates incl. new stable major releases\n# - 20.1: use a branch to keep on latest maintenance release for that branch, but not update automatic to next release\n# - 20.1.20200613: use a maintenance release, to disable automatic updates via watchtower and run them manually\nimage: egroupware\/egroupware:21.1\n\n><\/span>volumes:\n# if you want to use the host database:\n# 1. follow instructions below to disable db service\n# 2. set EGW_DB_HOST=localhost AND\n# 3. uncomment the next line and modify the host path, it depends on your distro:\n# - RHEL\/CentOS \/var\/lib\/mysql\/mysql.sock:\/var\/run\/mysqld\/mysqld.sock\n# - openSUSE\/SLE \/var\/run\/mysql\/mysql.sock:\/var\/run\/mysqld\/mysqld.sock\n# - Debian\/Ubuntu \/var\/run\/mysqld:\/var\/run\/mysqld\n#- \/var\/run\/mysqld:\/var\/run\/mysqld\n><\/span> - \/var\/lib\/mysql\/mysql.sock:\/var\/run\/mysqld\/mysqld.sock\n# private CA so egroupware can validate your certificate to talk to Collabora or Rocket.Chat\n# multiple certificates (eg. a chain) have to be single files in a directory, with one named private-ca.crt!\n#- \/etc\/egroupware-docker\/private-ca.crt:\/usr\/local\/share\/ca-certificates\/private-ca.crt:ro\n><\/span> environment:\n# setting a default language for a new installation\n#- LANG=de\n# MariaDB\/MySQL host to use: for host database (socket bind-mounted into container) use \"localhost\"\n><\/span> - EGW_DB_HOST=localhost\n# for internal db service you should to specify a root password here AND in db service\n# a database \"egroupware\" with a random password is created for you on installation (password is stored in header.inc.php in data directory)\n#- EGW_DB_ROOT=root\n#- EGW_DB_ROOT_PW=secret\n# alternativly you can specify an already existing database with full right by the given user!\n#- EGW_DB_NAME=egroupware\n#- EGW_DB_USER=egroupware\n><\/span> - EGW_DB_PASS=bn2H1R:SQ8d!cJSE\n# other php.ini values to set in the container and their current defaults\n#- EGW_SESSION_TIMEOUT=14000\n#- EGW_APC_SHM_SIZE=128M\n#- EGW_MEMORY_LIMIT=128M\n#- EGW_MAX_EXECUTION_TIME=90\n# set the ip-address of your docker host AND your official DNS name so EGroupware\n# can access Rocket.Chat or Collabora without the need to go over your firewall\n#extra_hosts:\n#- \"my.host.name:ip-address\"\n\n# to use the database on the host, uncomment all the following settings to disable the internal db service\n><\/span> db:\n><\/span> image: busybox\n><\/span> entrypoint: \/bin\/true\n><\/span> restart: \"no\"\n\n# push server using phpswoole\n#push:\n\n# nginx server of egroupware using \/etc\/egroupware-docker\/egroupware-nginx.conf\n# You want to install your certificate on the webserver\/Nginx running on the host proxying to this one\n#nginx:\n\n# automatic updates of all containers daily at 4am\n# see https:\/\/containrrr.github.io\/watchtower for more information\n#watchtower:\n#environment:\n#- WATCHTOWER_CLEANUP=true # delete old image after update to not fill up the disk\n# for email notifications add your email and mail-server here\n#- WATCHTOWER_NOTIFICATIONS=email\n#- WATCHTOWER_NOTIFICATIONS_LEVEL=info # possible values: panic, fatal, error, warn, info or debug\n#- WATCHTOWER_NOTIFICATION_EMAIL_FROM=watchtower@my-domain.com\n#- WATCHTOWER_NOTIFICATION_EMAIL_TO=me@my-domain.com\n#- WATCHTOWER_NOTIFICATION_EMAIL_SERVER=mail.my-domain.com # if you give your MX here, you need no user\/password\n#- WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PORT=25\n#- WATCHTOWER_NOTIFICATION_EMAIL_SERVER_USER=watchtower@my-domain.com\n#- WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD=secret\n#command: --schedule \"0 0 4 * * *\"<\/code><\/pre>\n<\/div>\n
Stop all docker services.<\/p>\n
\n
[root@mail egroupware-docker]# docker-compose down<\/code><\/pre>\n<\/div>\n
Start all docker services, remove orphaned db container and build images before starting containers.<\/p>\n
\n
[root@mail egroupware-docker]# docker-compose up -d --remove-orphans --build<\/code><\/pre>\n<\/div>\n
Verify active containers only.<\/p>\n
\n
[root@mail egroupware-docker]# docker pslog\nCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES\nd1420b4853f4 nginx:stable-alpine \"\/docker-entrypoint.\u2026\" 33 seconds ago Up 30 seconds 127.0.0.1:8080->80\/tcp egroupware-nginx\nd054757f012c phpswoole\/swoole:4.6-php7.4-alpine \"docker-php-entrypoi\u2026\" 34 seconds ago Up 32 seconds egroupware-push\n71492d39293d egroupware\/egroupware:21.1 \"\/entrypoint.sh php-\u2026\" 35 seconds ago Up 33 seconds 9000\/tcp egroupware\ndf53e76a73aa containrrr\/watchtower:latest \"\/watchtower --sched\u2026\" 37 seconds ago Up 34 seconds 8080\/tcp egroupware-watchtower\n44171a4b3c28 quay.io\/egroupware\/rocket.chat:stable \"docker-entrypoint.s\u2026\" 33 hours ago Up 33 hours 127.0.0.1:3000->3000\/tcp rocketchat\n8852ee8cc9de mongo:4.0 \"docker-entrypoint.s\u2026\" 33 hours ago Up 33 hours 27017\/tcp rocketchat-mongo\na54c2878f835 quay.io\/egroupware\/collabora-key:stable \"\/bin\/sh -c 'bash st\u2026\" 33 hours ago Up 33 hours 127.0.0.1:9980->9980\/tcp collabora-key<\/code><\/pre>\n<\/div>\n
Verify active and inactive containers.<\/p>\n
\n
[root@mail egroupware-docker]# docker ps -a\nCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES\nd1420b4853f4 nginx:stable-alpine \"\/docker-entrypoint.\u2026\" 54 seconds ago Up 52 seconds 127.0.0.1:8080->80\/tcp egroupware-nginx\nd054757f012c phpswoole\/swoole:4.6-php7.4-alpine \"docker-php-entrypoi\u2026\" 55 seconds ago Up 53 seconds egroupware-push\n71492d39293d egroupware\/egroupware:21.1 \"\/entrypoint.sh php-\u2026\" 56 seconds ago Up 7 seconds 9000\/tcp egroupware\n1094d121a673 busybox \"\/bin\/true\" 58 seconds ago Exited (0) 55 seconds ago egroupware-db\ndf53e76a73aa containrrr\/watchtower:latest \"\/watchtower --sched\u2026\" 58 seconds ago Up 55 seconds 8080\/tcp egroupware-watchtower\n44171a4b3c28 quay.io\/egroupware\/rocket.chat:stable \"docker-entrypoint.s\u2026\" 33 hours ago Up 33 hours 127.0.0.1:3000->3000\/tcp rocketchat\nda02d5a1b1a2 mongo:4.0 \"docker-entrypoint.s\u2026\" 33 hours ago Exited (0) 33 hours ago egroupware-rocketchat_mongo-init-replica_1\n8852ee8cc9de mongo:4.0 \"docker-entrypoint.s\u2026\" 33 hours ago Up 33 hours 27017\/tcp rocketchat-mongo\na54c2878f835 quay.io\/egroupware\/collabora-key:stable \"\/bin\/sh -c 'bash st\u2026\" 33 hours ago Up 33 hours 127.0.0.1:9980->9980\/tcp collabora-key<\/code><\/pre>\n<\/div>\n
We need\/want to uninstall the rocketchat container as we do not want to use this feature.<\/p>\n
\n
[root@mail egroupware-docker]# yum remove egroupware-rocketchat<\/code><\/pre>\n<\/div>\n
A useful command: Get realtime statistics of all docker containers<\/p>\n
\n
[root@mail egroupware-docker]# docker stats -a\nCONTAINER ID NAME CPU % MEM USAGE \/ LIMIT MEM % NET I\/O BLOCK I\/O PIDS\na11320d40498 collabora-key 0.04% 464.4MiB \/ 11.52GiB 3.94% 9.89kB \/ 0B 1.37GB \/ 3.81MB 11\n83e121e54c52 egroupware-nginx 0.00% 5.125MiB \/ 11.52GiB 0.04% 10.2kB \/ 0B 13.3MB \/ 0B 5\n583282159d2f egroupware-push 0.00% 17.41MiB \/ 11.52GiB 0.15% 10.2kB \/ 0B 68.6MB \/ 0B 10\n1417fc35a4f9 egroupware-watchtower 0.00% 15.06MiB \/ 11.52GiB 0.13% 10.2kB \/ 0B 30.2MB \/ 0B 10\n9a5e0b97fd73 egroupware-db 0.00% 0B \/ 0B 0.00% 0B \/ 0B 0B \/ 0B 0<\/code><\/pre>\n<\/div>\n
Remove rocketchat_mongo docker volume.<\/p>\n
\n
[root@mail egroupware-docker]# docker volume ls\nDRIVER VOLUME NAME\nlocal 0e1e0f7fd32f7d06c88621135a8331cb3d106e1edf3f905b2fc3bd2c8244776f\nlocal 5950f665506af9b982646affd4b9305c1c1f1c636aa2c2777e9b116d84464a12\nlocal e2be92753bc12b00d9fa5e4a9f7b14f4d9e321429e9ed9b462a99dd97bba00ee\nlocal egroupware-docker_data\nlocal egroupware-docker_db\nlocal egroupware-docker_extra\nlocal egroupware-docker_push-config\nlocal egroupware-docker_sessions\nlocal egroupware-docker_sources\nlocal egroupware-docker_sources-push\nlocal egroupware-docker_videos\nlocal egroupware-rocketchat_mongo\n\n[root@mail egroupware-docker]# docker volume rm egroupware-rocketchat_mongo\negroupware-rocketchat_mongo<\/code><\/pre>\n<\/div>\n
Verify if eGroupware has a working database connection.<\/p>\n
\n
[root@mail egroupware-docker]# docker-compose logs -f<\/code><\/pre>\n<\/div>\n
If you still get the error…<\/p>\n
\n
egroupware | Retrying EGroupware installation in 3 seconds ...\negroupware | \/usr\/bin\/php7.4 -d memory_limit=-1 \/usr\/share\/egroupware\/setup\/setup-cli.php --update 'all,admin,Qr[;pr-4nrRrND4B'\negroupware | EGroupware API version 21.1 found.\negroupware | EGroupware configuration file (header.inc.php) version 1.29 exists and is up to date\negroupware | Your database is not working! mysqli:\/\/egroupware:<somepassword)@db\/egroupware:<\/span>\negroupware |\negroupware | Installation failed --> exiting!<\/code><\/pre>\n<\/div>\n
… then modify header.inc.php manually to point to the correct mariadb host.<\/p>\n
\n
[root@mail egroupware-docker]# vi \/var\/lib\/docker\/volumes\/egroupware-docker_data\/_data\/header.inc.php\n\n\/* eGroupWare domain-specific db settings *\/\n$GLOBALS['egw_domain']['default'] = array(\n'db_host' => 'localhost<\/span>',\n'db_port' => '3306',\n'db_name' => 'egroupware',\n'db_user' => 'egroupware',\n'db_pass' => '<somepassword><\/span>',\n\/\/ Look at the README file\n'db_type' => 'mysqli',\n\/\/ This will limit who is allowed to make configuration modifications\n'config_user' => 'admin',\n'config_passwd' => '{crypt}$2a$12$84T8C2nSxJXHpA8I5krODeB7vBF5nylW\/1iZNdtea6hEOc1ktzrK.'\n);<\/code><\/pre>\n<\/div>\n
Copy previously used custom logos and icons. Create required folder on new host.<\/p>\n
\n
[root@mail egroupware-docker]# cd ~
[root@mail ~]# mkdir \/var\/lib\/docker\/volumes\/egroupware-docker_data\/_data\/default\/files\/anon-images<\/code><\/pre>\n<\/div>\n
Copy over the content from the old host to the new host and set file permissions<\/p>\n
\n
[root@mail ~]# scp \/var\/lib\/docker\/volumes\/egroupware-docker_data\/_data\/default\/files\/anon-images\/* root@10.0.1.33:\/\/var\/lib\/docker\/volumes\/egroupware-docker_data\/_data\/default\/files\/anon-images\/<\/code><\/pre>\n<\/div>\n
Check current permissions and set it equal to the existing IDs<\/p>\n
\n
[root@mail ~]# ll \/var\/lib\/docker\/volumes\/egroupware-docker_data\/_data\/default\/files\ntotal 0\ndrwx------ 2 33 tape 6 Jul 4 13:36 activesync\ndrwxr-xr-x 2 33 tape 47 Jul 5 22:48 anon-images\ndrwxr-xr-x 3 33 tape 19 Jul 4 13:36 smallpart\ndrwxr-xr-x 2 33 tape 6 Jul 4 13:36 sqlfs

[root@mail ~]# chown 33:tape \/var\/lib\/docker\/volumes\/egroupware-docker_data\/_data\/default\/files\/anon-images
<\/code><\/pre>\n<\/div>\n
Find setup and administrator configuration credentials for http:\/\/yourhost\/egroupware\/setup.<\/p>\n
\n
[root@mail ~]# cat \/var\/lib\/docker\/volumes\/egroupware-docker_data\/_data\/egroupware-docker-install.log |more\n\n\n(...)\nEGroupware successful installed\n===============================\n\nPlease note the following user names and passwords:\n\nSetup username: admin\npassword: <somepassword>\n\nEGroupware username: sysop\npassword: <somepassword>\n(...)<\/code><\/pre>\n<\/div>\n
Change all required settings that need to point to the new host. Login to the setup-page (http:\/\/yourhost\/egroupware\/setup)<\/p>\n
\"eGroupware<\/a>
Login to the Setup-\/Configuration-page<\/p>\n
\"Configuration\"<\/a>
Open Step 2 – Configuration<\/span><\/p>\n
\"Authentication<\/a>
Make sure your authentication backend is the IP address of your new host.<\/p>\n
Compare all other settings and save all changes. Afterwards login at https:\/\/yourhost\/egroupware and login as your administrative-user.<\/p>\n
\"Administrator<\/a><\/p>\n
\"Open<\/a>
Right click the top level folder of the administrator-mailbox and select “Edit Account” from the context menu.<\/p>\n
\"Mail<\/a> \"Mail<\/a>
Make sure the default Mail-Account is confiured for “All Users” to the new host.<\/p>\n
As a final step, login to the egroupware solution and check if the authentication works and if you have access to your maildata.<\/p>\n
Scripts to migrate data<\/h4>\n
Below some scripts we used to migrate user data from the old to the new host. All scripts will be executed on the old host. Store all scripts below in \/root\/migration.<\/p>\n
Migration of users, groups and credentials<\/h5>\n
\n
-----------------------------------------------------------------\n[root@mail ~]# vi \/root\/migration\/user.migration.sh\n-----------------------------------------------------------------\n#!\/bin\/bash\n\n# Description:\n# This script will be used to migrate users and credentials from a old to a new host.\n#\n# Version 1.0\n# Date 06. July 2021\n\n# Specify variables here\nUGIDLIMIT=1000\nTARGETHOST=10.0.1.33\nBASEDIR=\/root\/migration\/userdata\n\n# Export users, groups and credentials\nawk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534) && ($3!=1005) && ($3!=1009)' \/etc\/passwd > ${BASEDIR}\/passwd.mig\nawk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534) && ($3!=1001)' \/etc\/group > ${BASEDIR}\/group.mig\nawk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534) && ($3!=1005) && ($3!=1009) {print $1}' \/etc\/passwd | tee - | egrep -f - \/etc\/shadow > ${BASEDIR}\/shadow.mig\ncp \/etc\/gshadow ${BASEDIR}\/gshadow.mig\n\n# Copy configuration files of users, groups and credentials to a remote host\nscp -r ${BASEDIR}\/* root@${TARGETHOST}:${BASEDIR}\/\n\n# Import users, groups and credentials on a remote host\nssh root@${TARGETHOST} BASEDIR=\"\/root\/migration\/userdata\" \/bin\/bash<<\"EOF\"\n  while IFS=\":\" read -r user x uid x; do [[ $uid -ge 1000 && $uid != 65534 ]] && userdel \"$user\"; done <\/etc\/passwd\n  while IFS=\":\" read -r user x uid x; do [[ $uid -ge 1000 && $uid != 65534 ]] && groupdel \"$user\"; done <\/etc\/group\n  cat ${BASEDIR}\/passwd.mig >> \/etc\/passwd\n  cat ${BASEDIR}\/group.mig >> \/etc\/group\n  cat ${BASEDIR}\/shadow.mig >> \/etc\/shadow\n  cp -nf ${BASEDIR}\/gshadow.mig \/etc\/gshadow\nEOF<\/code><\/pre>\n<\/div>\n
Migration of opendkim keys<\/h5>\n
\n
-----------------------------------------------------------------\n[root@mail ~]# vi \/root\/migration\/opendkim.migration.sh\n-----------------------------------------------------------------\n#!\/bin\/bash\n\n# Description:\n# This script will be used to copy opendkim related configuration files from an old to a new host.\n#\n# Version 1.0\n# Date 06. July 2021\n\n# Specify variables here\nTARGETHOST=10.0.1.33\n\n# Copy configuration files of opendkim to a remote host\nscp \/etc\/opendkim.conf root@${TARGETHOST}:\/etc\/opendkim.conf\nscp \/etc\/opendkim\/TrustedHosts root@${TARGETHOST}:\/etc\/opendkim\/TrustedHosts\nscp \/etc\/opendkim\/SigningTable root@${TARGETHOST}:\/etc\/opendkim\/SigningTable\nscp \/etc\/opendkim\/KeyTable root@${TARGETHOST}:\/etc\/opendkim\/KeyTable
rsync -avvzhe ssh --progress \/etc\/opendkim\/keys root@10.0.1.32:\/etc\/opendkim
<\/code><\/pre>\n<\/div>\n
Migration of sendmail configuration<\/h5>\n
\n
-----------------------------------------------------------------\n[root@mail ~]# vi \/root\/migration\/sendmail.migration.sh\n-----------------------------------------------------------------\n#!\/bin\/bash\n\n# Description:\n# This script will be used to copy sendmail related configuration files from an old to a new host.\n#\n# Version 1.0\n# Date 06. July 2021\n\n# Specify variables here\nTARGETHOST=10.0.1.33\n\n# Copy configuration files of sendmail to a remote host\nscp \/etc\/aliases root@${TARGETHOST}:\/etc\/aliases\nscp \/etc\/mail\/access root@${TARGETHOST}:\/etc\/mail\/access\nscp \/etc\/mail\/local-host-names root@${TARGETHOST}:\/etc\/mail\/local-host-names\nscp \/etc\/mail\/domaintable root@${TARGETHOST}:\/etc\/mail\/domaintable\nscp \/etc\/mail\/trusted-users root@${TARGETHOST}:\/etc\/mail\/trusted-users\nscp \/etc\/mail\/virtusertable root@${TARGETHOST}:\/etc\/mail\/virtusertable\n\n# Restart sendmail on a remote host\nssh -t root@${TARGETHOST} 'systemctl restart sendmail'<\/code><\/pre>\n<\/div>\n
Migration of mariadb data<\/h5>\n
\n
-----------------------------------------------------------------\n[root@mail ~]# vi \/root\/migration\/mariadb.migration.sh\n-----------------------------------------------------------------\n#!\/bin\/bash\n\n# Description:\n# This script will be used to dump mariadb databases on a old host and restore them to a new host.\n#\n# Version 1.0\n# Date 06. July 2021\n\n# Specify variables here\nTARGETHOST=10.0.1.33\nTARGETFILE=\/root\/migration\/mariadb_full.sql\nDB_ROOT=root\nDB_PASS=somepassword\n\n# Dump whole database server\nmysqldump --all-databases -u ${DB_ROOT} -p${DB_PASS} > ${TARGETFILE}\n\n# Transfer files to a new host\nscp ${TARGETFILE} root@${TARGETHOST}:${TARGETFILE}\n\n# Restore dump remotely on a new host and restart mariadb\nssh -t root@${TARGETHOST} 'mysql -u root -p${DB_PASS} < ${TARGETFILE}'\nssh -t root@${TARGETHOST} 'systemctl restart mariadb'<\/code><\/pre>\n<\/div>\n
Migration of mail data<\/h5>\n
\n
-----------------------------------------------------------------\n[root@mail ~]# vi \/root\/migration\/mail.migration.sh\n-----------------------------------------------------------------\n#!\/bin\/bash\n\n# Description:\n# This script will be used to synchronize users mail data from a old to a new host.\n#\n# Version 1.0\n# Date 06. July 2021\n\n# Specify variables here\nTARGETHOST=10.0.1.33\n\n# Synchronize folders\nrsync -avvzhe ssh --progress \/var\/spool\/mail root@${TARGETHOST}:\/var\/spool\nrsync -avvzhe ssh --progress \/home root@${TARGETHOST}:\/<\/code><\/pre>\n<\/div>\n
Make all script executable<\/p>\n
\n
[root@mail ~]# chmod +x \/root\/migration\/*.migration.sh<\/code><\/pre>\n<\/div>\n
Configure crontab to migrate data automatically in the background<\/p>\n
\n
[root@mail ~]# crontab -e\n\n# Server migration\n00 2 * * * \/root\/migration\/user.migration.sh >> \/var\/log\/user.migration.log 2>&1\n05 2 * * * \/root\/migration\/opendkim.migration.sh >> \/var\/log\/opendkim.migration.sh 2>&1\n10 2 * * * \/root\/migration\/sendmail.migration.sh >> \/var\/log\/sendmail.migration.sh 2>&1\n15 2 * * * \/root\/migration\/mariadb.migration.sh >> \/var\/log\/mariadb.migration.sh 2>&1\n20 2 * * * \/root\/migration\/mail.migration.sh >> \/var\/log\/mail.migration.log 2>&1<\/code><\/pre>\n<\/div>\n
After the first inital synchronisation make sure the correct rights are applied on the new host.<\/p>\n
Apply the correct rights to the inbox files in \/var\/spool\/mail<\/p>\n
\n
[root@mail ~]# cd \/var\/spool\/mail\n[root@mail mail]# for n in *; do chown $n:users $n; done<\/code><\/pre>\n<\/div>\n
Apply the correct rights to the inbox files in \/home (if required)<\/p>\n
\n
[root@mail ~]# cd \/home\n[root@mail home]# for n in *; do chown -R $n:users $n; done<\/code><\/pre>\n
Appendix<\/h4>\n
A user of our mailhost was affected with the following problem:\u00a0 A mailsender got a “Mail Derlivery Error” from the <MAILER DAEMON> as reply to a mail sent to our customer.<\/p>\n
\n
The original message was received at Tue, 23 Nov 2021 11:12:03 +0100 from mxout017.mail.xxx.ch [1.2.3.4]\n\u00a0\u00a0 ----- The following addresses had permanent fatal errors ----- \"|\/etc\/usermin\/forward\/autoreply.pl \/home\/info.xxx.ch\/autoreply.txt info.treuhand-2000.ch\"\n\u00a0\u00a0\u00a0 (expanded from: <info@xxx.ch>)\n\u00a0\u00a0 ----- Transcript of session follows -----\n550 5.7.1 \/home\/info.xxx.ch\/.forward: line 2: \"|\/etc\/usermin\/forward\/autoreply.pl \/home\/info.xxx.ch\/autoreply.txt info.xxx.ch\"... User info.xxx.ch@mail.xxx.ch doesn't have a valid shell for mailing to programs<\/code><\/pre>\n<\/div>\n<\/div>\n
Usually that error message means that the login shell of the affected user is not listed in \/etc\/shells, so the MTA refuses to honor any pipe destinations in your .forward (because they require invoking your login shell). Either change your login shell to one that is listed in \/etc\/shells, or add it to \/etc\/shells.<\/p>\n
Our user had the following shell assinged: \/sbin\/nologin. This shell was not present in \/etc\/shells – we had to add it, afterwards the issue disappeared. Additionally we also added \/usr\/bin\/nologin to the \/etc\/shells file.<\/p>\n\n","protected":false},"excerpt":{"rendered":"
We where already prepared to switch our servers from CentOS 7 to 8 but our project stopped immediately after we heard about the abrupt end of CenOS\u00a0– so we where […]<\/p>\n","protected":false},"author":1,"featured_media":1463,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"How to install\/migrate sendmail\/procmail\/spamassassin\/dovecot\/opendkim\/bind\/apache\/mariadb\/egroupware\/bind on\/from CentOS7 to Rocky Linux 8","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[4],"tags":[156,152,154,10,155,153,151,100],"class_list":["post-1292","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-dcc","tag-dovecot","tag-egroupware","tag-linux","tag-opendkim","tag-openssl","tag-rocky","tag-sendmail"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.web-workers.ch\/wp-content\/uploads\/2021\/11\/tux-on-htop-featured1.jpg?fit=1366%2C768&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p8sxjX-kQ","jetpack-related-posts":[],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/www.web-workers.ch\/index.php\/wp-json\/wp\/v2\/posts\/1292","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.web-workers.ch\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.web-workers.ch\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.web-workers.ch\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.web-workers.ch\/index.php\/wp-json\/wp\/v2\/comments?post=1292"}],"version-history":[{"count":76,"href":"https:\/\/www.web-workers.ch\/index.php\/wp-json\/wp\/v2\/posts\/1292\/revisions"}],"predecessor-version":[{"id":1595,"href":"https:\/\/www.web-workers.ch\/index.php\/wp-json\/wp\/v2\/posts\/1292\/revisions\/1595"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.web-workers.ch\/index.php\/wp-json\/wp\/v2\/media\/1463"}],"wp:attachment":[{"href":"https:\/\/www.web-workers.ch\/index.php\/wp-json\/wp\/v2\/media?parent=1292"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.web-workers.ch\/index.php\/wp-json\/wp\/v2\/categories?post=1292"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.web-workers.ch\/index.php\/wp-json\/wp\/v2\/tags?post=1292"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}