Migration of EFA 3.x vSphere Virtual Appliance to CentOS 8 Virtual Appliance 4.x

Mindwatering Incorporated

Author: Tripp W Black

Created: 02/13 at 08:24 PM

 

Category:
Linux
Mail

Migration of EFA-3.0.2.8 Appliance to 4.x Virtual Machine with CentOS 8 and EFA 4.x


Overview:
This will be a swing migration. This will entail a backup of the old mail gateway, and a restoration to a new one.
Expect the process to take between 30 minutes for a small environment, and around 2 hours for a larger one.


Part 1: Inventory the existing (old) mail gateway
$ ssh myadmin@mymx.mindwatering.net
<pwd>

Typically the login automatically runs the EFA Configuration program.
"Welcome to the EFA Configuration program"

Choose option: 15) Maintenance Mode
[eFa] : Enter EFA Maintenance Mode? (y/N/c): y
Press [Enter] key to continue... <enter>

Choose option: 1) Shell
We need the current configuration. Use the EFA-Config file.
$ sudo vi /etc/EFA-Config
<pwd>

Output is similar to:
HOSTNAME:mymx
DOMAINNAME:mindwatering.net
ADMINEMAIL:myadmin@mindwatering.com
INTERFACE:ens160
IPADDRESS:192.168.123.123
NETMASK:255.255.255.0
GATEWAY:192.168.123.1
DNS1:111.122.133.123
DNS2:111.133.133.123
IANA:us
MAILSERVER:192.168.123.111
ORGNAME:Mindwatering
. . .
POSTMASTEREMAIL:myadmin@mindwatering.net

- Note your specific values for the above; the new server will use the same values.
- Since the new mail gateway will have the same IP, then we will need to make sure that that the new server has a different temporary IP until the backup and transfer of files is complete.



Part 2: Create the new VM.
The instructions will vary depending on your vSphere set-up.

Cluster <right click> --> New Virtual Machine --> New Virtual Machine ...
> 1 Select a creation type:
Choose Deploy from template --> Next.
> 2 Select a template:
Click Content Library or Data Center and choose CentOS 8 Minimal with SSH template --> Next.
> 3 Select a name and folder:
Virtual machine name: MailGateway1 --> Select a location for the virtual machine --> <Folder> --> Next.
> 4 Select a compute resource:
Cluster --> Select cluster or ESXi host --> Next.
> 5 Select storage:
Select virtual disk format: Same format as source
Select storage location <SAN-DS3>
> Select clone options:
<Disable/uncheck> Customize the operation system
<Enable/checked> Customize the virtual machine hardware
<Enable/checked> Power on virtual machine after creation
--> Next.
> Customize hardware:
CPU: 2
Memory: 8 GB
Hard Disk 1: 100 GB
Hard Disk 2: (x) (to remove) Delete files from datastore (checked)
--> Next.
Click Finish.

Once VM Starts, we will change the password, and set-up the firewall ports.
Note the current IP of the new appliance.
e.g. 192.168.123.99

$ ssh myadmin@192.168.123.99
<enter clone password>

Change the clone's default password to a new one:
$ passwd
<enter clone current password again>
<enter new password twice>

We need to patch the system.
$ sudo yum update
<enter (new) password>

Update the firewall for the ports that eFa requires:
Requires 25 TCP in and out, 53 UDP out, 80 TCP in and out, 443 TCP in and out, 2703 TCP out (Razor), 24441 UDP out (Pyzor), and 6277 UDP out (DCC).
As our existing template rules already have outgoing rules allowing these ports, and SSH incomding, we'll only add the other incoming ports above. Adjust for your environment, accordingly.
$ sudo firewall-cmd --zone=public --add-port=25/tcp --permanent
$ sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
$ sudo firewall-cmd --zone=public --add-port=443/tcp --permanent
$ sudo firewall-cmd --reload
$ sudo firewall-cmd --state

If not running, check the status, and enable the service:
$ sudo systemctl status firewalld
<cntl c>
If not enabled,
$ sudo systemctl enable firewalld
$ sudo systemctl start firewalld

Install SSHFS, in order to transfer files. SSHFS is in the EPEL-Release. (Alternately, you can use Filezilla to transfer to your workstation from the old gateway and transfer to the new one.)
In addition, the PowerTools has been waffling between PowerTools and powertools. As of 2021/01, it's back to lowercase.
$ sudo yum config-manager --set-enabled powertools
$ sudo yum install sshfs
... Installing: fuse-sshfs (the name shift is expected).

Note: We installed PowerTools now, because with the name change, it will cause a failure in the eFa setup in step 5 below.



Part 3: Back-up the old mail gateway.
1. Create a VM snapshot.
Locate the VM --> <right click> Snapshots --> Take Snapshot ... --> In the dialog, enter a description and click Create.

2. Stop postfix:
$ sudo service postfix stop

3. Preform the backups:
For some reason the backup program isn't already executable, we will add the executable flag.
$ sudo su
# chmod +x /usr/local/sbin/EFA-Backup
# /usr/local/sbin/EFA-Backup -backup
[EFA] Good you are root
Beginning System Backup at 20210213 223846
Backup Completed at 02132021 223850

Note the date name of the backup. We'll need it later.

As we will be copying the files from the new VM, we will now change the permissions so "anyone" can read the files.
# chmod -R 775 /var/spool/MailScanner/quarantine
# chmod -R 775 /var/EFA/backup/*
# sa-learn --backup > /home/myadmin/backup.txt
(That's two dashes for --backup above.)

If we have DKIM set-up, then get that ready, as well:
# chmod -R 775 /etc/opendkim/*
# exit
$ exit



Part 4: Install eFa 4 onto the new VM.
$ cd /home/myadmin/tmp/
$ sudo curl -sSL https://install.efa-project.org | bash
<wait a while, watch for any errors>

Note:
We will not reboot now, but copy the backup files first. If you choose to reboot, you'll have to enter "n" to not configure eFa, yet.



Part 5: Copy the back-up to the new VM mx gateway.
On the new gateway (VM) terminal, we will copy the back from the old gateway VM (192.168.123.123, in our case) ...
$ sudo su
< enter pwd>
# sshfs myadmin@192.168.123.123:/ /mnt
< yes, to accept cert>

Copy the backups to the new VM, use the name from above.
# cp /mnt/var/EFA/backup/backup-20210213-223846.tar.gz /var/eFa/backup
# chmod 600 /var/eFa/backup/backup-20210213-223846.tar.gz
# chown root:root /var/eFa/backup/backup-20210213-223846.tar.gz
# cp /mnt/home/myadmin/backup.txt /home/myadmin/backup.txt

Copy the current quarantine:
# cp -ra /mnt/var/spool/MailScanner/quarantine/* /var/spool/MailScanner/quarantine
<wait - this will take a while>
# chmod -R 750 /var/spool/MailScanner/quarantine/*
# chown -R postfix:mtagroup /var/spool/MailScanner/quarantine/*

If we are using opendkim, we also have to do:
# yum -y install opendkim
# mkdir -p /etc/opendkim
# cp -ra /mnt/etc/opendkim/* /etc/opendkim
< yes to overwrite>
# chown -R opendkim:opendkim /etc/opendkim/*
# chmod -R 750 /etc/opendkim/*
# cp /mnt/etc/opendkim.conf /etc/opendkim.conf
< yes to overwrite>


If there is something else to be copied, we need to copy it now into place.
(e.g. custom logo, etc.)

Set the IP of the new mail gateway VM to the IP of the old machine.

Reboot, when ready:
# reboot

After the reboot, login to the terminal:
$ sudo su
<pwd>
Note:
As soon as you switch to the root user, the configuration program should run.

If you are running a root terminal from the GUI, we have seen the eFa Configure program may not start automatically.
You can run it, manually with:
/usr/sbin/eFA-Configure

... now back to the set-up...

[eFa] Start eFa first-time configure (Y/n) -> Y (answer Y)
[eFa] Press [Enter] key to continue ... <enter>

Now answer the questions from Step 1 above.
HOSTNAME: mymx
DOMAINNAME: mindwatering.net

Since VMs have more than one NIC, it will ask you to choose:
INTERFACE:ens160

It will then continue with the rest of questions:
Configure IP4: Y
IPADDRESS: 192.168.123.123
NETMASK: 255.255.255.0
GATEWAY: 192.168.123.1

Configure IP6: N

New web admin user to be forced into configuration menu on login: efaadmin
Note: If you choose the same admin account as current, e.g. myadmin, it will overwrite the current admin account.
Enter the password for the web user: <mysecurepassword>

New shell user name: efaadminssh
Note: If you choose the same admin account as current, e.g. myadmin, it will overwrite the current admin account.
Enter the password for the web user: <mysecurepassword>

Install Tools: N
Note: We have OpenVMTools already installed.

Host set to UTC time? Y
Continent: 2) Americas
Country: 49) United States
Time zone region: 1) Eastern (most areas)
Is above info OK? 1) Yes

(Default) Mailserver for your organization: 192.168.123.111
Note: You can have multiple via the Transport Postfix settings.

Organization Name: Mindwatering

On the next page, review settings for any mistakes. If none, type OK, and <enter>
<wait>

Notes:
- Since we already set-up the firewall, we will get messages that 80 and 443 are already set-up.
- We also get a Maria database SQL error for one of the early commands. However, it didn't seem to affect anything.
- The installation will do the reboot 60 seconds after the install is complete.
- The next reboot will take a while because a SELinux relabel will occur.


Part 6: Perform the restore:
Return to the eFa Configure menu
Choose 12) System Restore
Under the "disaster recovery situations" message, choose y to continue.
(answer y)

Select the only backup, e.g. 1) /var/eFa/backup/backup-20210213-223846.tar.gz
Proceed with restore? y
(answer y)
<wait>
Click <enter> to accept the reboot.

If we are using opendkim, we need to do:

$ sudo vi /etc/postfix/main.cf:

Update the following:
smtpd_milters = inet:127.0.0.1:8891 inet:127.0.0.1:33333
non_smtpd_milters = inet:127.0.0.1:8891
<esc>:wq (to save)

Restart services:
$ sudo systemctl enable opendkim
$ sudo systemctl start opendkim
$ sudo systemctl reload postfix



Part 7: Add LetsEncrypt SSL
Login as the shell user, set above.
$ ssh efaadminssh@mymx.mindwatering.net
<pwd>
The configuration menu should automatically load.
If not you must switch to root, and then load with /usr/sbin/eFa-Configure.

Choose the Lets Encrypt option: 15) Let's Encrypt
Answer y to enable.
<wait>
Would you like to use Let's Encrypt for postfix? y
<wait>
When done, click <enter> to go back to the menu.

Using a web browser, test the web login.





previous page