Convert from basic to virtual

Dan White dwhite at olp.net
Mon Oct 15 12:09:26 EDT 2012 

On 10/15/12 13:06 +0200, Dominique wrote:
>Hi list(s),
>
>A few years ago we setup a simple postfix+Cyrus Mail server in the
>office (running on Ubuntu server). Across the years, we configured it to
>send and access our mails from various sources (in the office with tb,
>on the road though webgui, and recently through smartphones). All is
>well in the best of worlds. It is really basic configuration with its
>own certificate with a single domain name.
>
>Recently, we purchased two new domain names for a new project and wanted
>to include them to our mail server. I went on reading the postfix doc
>for virtual domains and got lost. Our mail users are independant from
>the linux users (virtual users) and I found a configuration description
>that looked like what I wanted. It seems the way to go, especially if we
>want to continue to add more domains in the future. However, I am not
>sure how to convert from our basic setup to a virtual domain setup,
>especially since I cannot find where and how to configure certificates
>per domain on a server with a single public IP.

To transition a cyrus installation, see:

http://cyrusimap.org/docs/cyrus-imapd/2.4.16/install-virtdomains.php

Set:

virtdomains: userid
defaultdomain: orignal.domain

origimap_tls_ca_file: /etc/ssl/orig.crt
origimap_tls_key_file: /etc/ssl/orig.key
dom1imap_tls_ca_file: /etc/ssl/dom1.crt
dom1imap_tls_key_file: /etc/ssl/dom1.key
dom2imap_tls_ca_file: /etc/ssl/dom1.crt
dom2imap_tls_key_file: /etc/ssl/dom1.key

And in cyrus.conf, include imap entries named 'origimap', 'dom1imap', and
'dom2imap', running on unique IP addresses or ports.

I'm not aware of a way to multihome cyrus imap on one IP, with support for
multiple TLS certs, without using multiple ports.

>Does anyone have experience in converting from one to the other, and
>willing to give me pointers in my conversion process. Downtime is not a
>problem, but not losing the mailboxes is.
>
>I am cross posting on both Postfix and Cyrus list, since I am not sure
>where to get the answer from.
>
>My current configuration is as follow:
>
>Postconf -n
>
>alias_database = hash:/etc/aliases
>alias_maps = hash:/etc/aliases
>append_dot_mydomain = no
>biff = no
>broken_sasl_auth_clients = yes
>config_directory = /etc/postfix
>content_filter = smtp-amavis:[127.0.0.1]:10024
>disable_vrfy_command = yes
>inet_interfaces = all
>mailbox_size_limit = 0
>mailbox_transport = lmtp:unix:/var/run/cyrus/socket/lmtp
>message_size_limit = 20480000
>mydestination = mail.solipym.com, solipym, localhost.localdomain, localhost
>myhostname = mail.solipym.com
>mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128,192.168.1.0/24
>myorigin = /etc/mailname
>policyd-spf_time_limit = 3600
>readme_directory = no
>recipient_delimiter = +
>relayhost = smtp.movistar.es
>sender_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf
>smtp_cname_overrides_servername = no
>smtp_sasl_auth_enable = yes
>smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
>smtp_sasl_security_options = noanonymous
>smtp_sasl_type = cyrus
>smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
>smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
>smtpd_client_restrictions = permit_mynetworks,
>permit_sasl_authenticated, check_client_access hash:/etc/postfix/access
>smtpd_delay_reject = yes
>smtpd_error_sleep_time = 15s
>smtpd_hard_error_limit = 20
>smtpd_helo_required = yes
>smtpd_recipient_restrictions = permit_sasl_authenticated,
>permit_mynetworks, reject_unauth_destination, reject_invalid_hostname,
>reject_non_fqdn_hostname, reject_non_fqdn_sender,
>reject_non_fqdn_recipient, reject_unknown_sender_domain,
>reject_unknown_recipient_domain, reject_unauth_pipelining,
>reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org,
>reject_rbl_client blackholes.easynet.nl, reject_rbl_client
>dnsbl.njabl.org, reject_rbl_client dul.dnsbl.sorbs.net,
>check_policy_service unix:private/policyd-spf
>smtpd_sasl_auth_enable = yes
>smtpd_sasl_path = smtpd
>smtpd_sender_restrictions = reject_non_fqdn_sender, check_sender_access
>hash:/etc/postfix/access, check_sender_mx_access hash:/etc/postfix/access
>smtpd_soft_error_limit = 10
>smtpd_tls_CAfile = /etc/ssl/certs/root.crt
>smtpd_tls_cert_file = /etc/ssl/certs/server_mail_solipym_com.pem
>smtpd_tls_key_file = /etc/ssl/private/server.key
>smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
>smtpd_use_tls = yes
>virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf
>virtual_mailbox_domains = mysql:/etc/postfix/mysql-mydestination.cf
>virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual.cf
>virtual_transport = lmtp:unix:/var/run/cyrus/socket/lmtp

For postfix, consider running multiple smtpd daemons within your
master.conf, and override your tls settings, e.g.:

192.0.2.1:smtp     inet  n       -       n       -       -       smtpd
     -o smtpd_tls_cert_file=/etc/ssl/orig.crt
     -o smtpd_tls_key_file=/etc/ssl/orig.key
192.0.2.1:2025     inet  n       -       n       -       -       smtpd
     -o smtpd_tls_cert_file=/etc/ssl/dom1.crt
     -o smtpd_tls_key_file=/etc/ssl/dom1.key
192.0.2.1:3025     inet  n       -       n       -       -       smtpd
     -o smtpd_tls_cert_file=/etc/ssl/dom2.crt
     -o smtpd_tls_key_file=/etc/ssl/dom2.key

-- 
Dan White

More information about the Info-cyrus mailing list