elmau
/
iredmail-doc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
iredmail-doc/html_bk/backup.restore.html

381 lines
18 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Backup and restore</title>
<link rel="stylesheet" type="text/css" href="./css/markdown.css" />
</head>
<body>
<div id="navigation">
<a href="https://www.iredmail.org" target="_blank">
<img alt="iRedMail web site"
src="./images/logo-iredmail.png"
style="vertical-align: middle; height: 30px;"
/>&nbsp;
<span>iRedMail</span>
</a>
&nbsp;&nbsp;//&nbsp;&nbsp;<a href="./index.html">Document Index</a></div><h1 id="backup-and-restore">Backup and restore</h1>
<div class="toc">
<ul>
<li><a href="#backup-and-restore">Backup and restore</a><ul>
<li><a href="#backup">Backup</a><ul>
<li><a href="#backup-mailboxes">Backup mailboxes</a></li>
<li><a href="#backup-mail-accounts">Backup mail accounts</a></li>
<li><a href="#backup-additional-data-manually">Backup additional data manually</a></li>
</ul>
</li>
<li><a href="#restore">Restore</a><ul>
<li><a href="#how-to-restore-sql-databases">How to restore SQL databases</a><ul>
<li><a href="#after-restored-databases">After restored databases</a></li>
</ul>
</li>
<li><a href="#ldap">LDAP</a><ul>
<li><a href="#how-to-restore-openldap-backup">How to restore OpenLDAP backup</a></li>
<li><a href="#how-to-restore-openbsd-ldapd8-backup">How to restore OpenBSD ldapd(8) backup</a></li>
<li><a href="#after-ldap-restore">After LDAP restore</a></li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>
</div>
<h2 id="backup">Backup</h2>
<h3 id="backup-mailboxes">Backup mailboxes</h3>
<p>All mailboxes are stored under <code>/var/vmail/vmail1</code> by default, this path is
configurable during iRedMail installation, so the real directory may be
different on your server.</p>
<p>Mail messages are stored in Maildir format by default, that means one mail
message is one plain text file (but mail body is encoded), you can backup
mailboxes with tool like <code>rsync</code> or other backup tools.</p>
<p>After restored mailboxes, <code>/var/vmail/vmail1</code> must be owned by user <code>vmail</code>,
group <code>vmail</code>, permission <code>0700</code> on iRedMail server.</p>
<h3 id="backup-mail-accounts">Backup mail accounts</h3>
<p>Mail accounts are stored in SQL/LDAP database. iRedMail provides shell scripts
to backup SQL/LDAP databases, you can find them in downloaded iRedMail release,
or find them in <a href="https://github.com/iredmail/iRedMail/tree/master/tools">iRedMail source code repository</a>:</p>
<ul>
<li><code>iRedMail-[VERSION]/tools/backup_openldap.sh</code>: used to backup OpenLDAP data.</li>
<li><code>iRedMail-[VERSION]/tools/backup_ldapd.sh</code>: used to backup OpenBSD ldapd(8).</li>
<li><code>iRedMail-[VERSION]/tools/backup_mysql.sh</code>: used to backup MySQL/MariaDB databases.</li>
<li><code>iRedMail-[VERSION]/tools/backup_pgsql.sh</code>: used to backup PostgreSQL databases.</li>
</ul>
<p>iRedMail will setup a daily cron job to run backup script(s) during
installation, so what you need to do is checking whether or not they're
defined as cron jobs with below commands:</p>
<pre><code># crontab -l -u root
</code></pre>
<p>Sample output on an iRedMail server with OpenLDAP backend:</p>
<pre><code># iRedMail: Backup OpenLDAP data every day on 03:01 AM
1 3 * * * /bin/bash /var/vmail/backup/backup_openldap.sh
# iRedMail: Backup MySQL databases every day on 03:10 AM
10 3 * * * /bin/bash /var/vmail/backup/backup_mysql.sh
</code></pre>
<p>Notes:</p>
<ul>
<li>Backup files are stored under directory defined in parameter <code>BACKUP_ROOTDIR</code>
in backup scripts, default is <code>/var/vmail/backup</code>.</li>
<li>SQL backup is plain SQL file, LDAP backup is plain LDIF file.</li>
<li>Backup files are compressed with <code>bzip2</code> by default, you can decompress them
with command <code>bunzip2</code>. for example, <code>bunzip2 file_name.bz2</code>.</li>
<li>It's ok to run the backup scripts manually.</li>
</ul>
<h3 id="backup-additional-data-manually">Backup additional data manually</h3>
<ul>
<li>
<p>DKIM keys. They're stored under <code>/var/lib/dkim/</code> by default. If you don't
backup them, it's ok to generate new keys and you must update DNS record
(<code>dkim._domainkey.[YOUR_MAIL_DOMAIN]</code>) with new DKIM key. Refer to another
document to generate DKIM key and update DNS record:
<a href="./sign.dkim.signature.for.new.domain.html">Sign DKIM signature on outgoing emails for new mail domain</a>.</p>
</li>
<li>
<p>SOGo (Calendar, Contacts, Tasks): check SOGo official document:
<a href="http://wiki.sogo.nu/backupRestore">http://wiki.sogo.nu/backupRestore</a></p>
<ul>
<li>since iRedMail-0.9.7, iRedMail will setup a daily cron job to backup SOGo
data during iRedMail installation.</li>
<li>
<p>When restoring (with <code>sogo-tool</code>), you have to first restore all users
and their folders, then their preferences. Afterwards you have to restore
all preferences again to get back shared calendars.</p>
<p>That is because first it sets the sharing privileges on the folders
(which have to exist, before you can set them). The sharing will not
work in most cases, because the privileges of the origin is not yet set.
Only the second restore of the preferences can set the shared folders,
because now the privileges are OK.</p>
<p>Make sure to restart memcached between the two restores of the
privileges, else SOGo will use old infos from the first run.</p>
</li>
</ul>
</li>
<li>
<p>OpenLDAP backend:</p>
<ul>
<li>If you enabled additional LDAP schema files in OpenLDAP, you should
backup them, copy them to new server and enable them. Otherwise you
cannot import backup LDIF file due to missing required LDAP attributes.</li>
</ul>
</li>
</ul>
<h2 id="restore">Restore</h2>
<h3 id="how-to-restore-sql-databases">How to restore SQL databases</h3>
<p>You can simply restore plain SQL files backed up by above backup scripts.</p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>If you're restoring on a <strong>NEW</strong> iRedMail server, do <strong>NOT</strong>
restore the database which is named <code>mysql</code> exported from old server, it
contains SQL usernames and passwords used in many components (e.g. Postfix,
Dovecot, Roundcube webmail) on old server. New iRedMail server already has
the same SQL accounts with different passwords, so please do not restore
<code>mysql</code> database, otherwise almost all services won't work due to incorrect
SQL credentials.</p>
</div>
<h4 id="after-restored-databases">After restored databases</h4>
<p>If you're restoring from an old iRedMail release, you need to update SQL
structure first.</p>
<p>For example, If you're restoring iRedMail from <code>0.9.1</code> to <code>0.9.5</code>, you must
check upgrade tutorials for iRedMail-0.9.1 and newer releases, then apply all
SQL structure changes mentioned in the upgrade tutorials.</p>
<p>You can find <a href="./iredmail.releases.html">all iRedMail upgrade tutorials here</a>.</p>
<h3 id="ldap">LDAP</h3>
<div class="admonition attention">
<p class="admonition-title">Attention</p>
<ul>
<li>If you backup with <code>slapcat</code> command, you must restore the backup with
<code>slapadd</code> command.</li>
<li>If you backup with <code>ldapsearch</code> command or phpLDAPadmin, you must restore
the backup with <code>ldapadd</code> command.</li>
</ul>
</div>
<h4 id="how-to-restore-openldap-backup">How to restore OpenLDAP backup</h4>
<p>Backup script runs command <code>slapcat</code> to dump whole LDAP tree as a backup, it
must be so restored with command <code>slapadd</code>.</p>
<p>Below example shows how to restore a LDAP backup on RHEL/CentOS 6.x, files and
directories may be different on other Linux/BSD distributions, you can find
the correct ones in this tutorial:
<a href="./file.locations.html#openldap">Locations of configuration and log files of major components</a>.</p>
<ul>
<li>
<p>LDAP backups are stored under <code>/var/vmail/backup/ldap/[YEAR]/[MONTH]</code> by
default, for example, <code>/var/vmail/backup/ldap/2015/05/</code>. And it's compressed
with <code>bzip2</code> command to save disk space. we must decompress it first.</p>
</li>
<li>
<p>Go to the backup directory, find the latest backup. here we use backup file
<code>2015-05-10-03:01:01.ldif.bz2</code> for example.</p>
</li>
</ul>
<pre><code># cd /var/vmail/backup/ldap/2015/05/
# bunzip2 2015-05-10-03:01:01.ldif.bz2
# ls -l 2015-05-10-03:01:01.ldif
-rw-r--r-- 1 root root 7352 May 10 03:01 2015-05-10-03:01:01.ldif
</code></pre>
<ul>
<li>
<p>Find passwords for <code>cn=vmail,dc=xx,dc=xx</code> and <code>cn=vmailadmin,dc=xx,dc=xx</code>
in the root directory of iRedMail installation directory on <strong>NEW</strong> iRedMail
server. for example, <code>/root/iRedMail-0.9.0/iRedMail.tips</code>. Notes:</p>
<ul>
<li>They're plain passwords, not hashed or encrypted.</li>
<li>You can also find <code>cn=vmail</code>'s password in Postfix config files under
<code>/etc/postfix/mysql</code> (MySQL/MariaDB backend) or
<code>/etc/postfix/pgsql</code> (PostgreSQL backend).</li>
<li>You can also find <code>cn=vmailadmin</code>'s password in
<a href="./file.locations.html#iredadmin">iRedAdmin config file</a>.</li>
</ul>
</li>
</ul>
<p>Below is sample copy in file <code>iRedMail.tips</code>.</p>
<pre><code>OpenLDAP:
...
* LDAP bind dn (read-only): cn=vmail,dc=example,dc=com, password: py2BQwM0zoRM5nciK68AlP8dyu2Mq6
* LDAP admin dn (used for iRedAdmin): cn=vmailadmin,dc=example,dc=com, password: 9wr0mHeVYz2uaxSAGBLucVkOgYPSBB
</code></pre>
<ul>
<li>Now hash them with command <code>slappasswd</code>:</li>
</ul>
<pre><code># slappasswd -h '{ssha}' -s 'py2BQwM0zoRM5nciK68AlP8dyu2Mq6' # &lt;- cn=vmail's password
{SSHA}eJEO2yGVryVw+mZ/Qd2HMSyrl6u9WDhd
# slappasswd -h '{ssha}' -s '9wr0mHeVYz2uaxSAGBLucVkOgYPSBB' # &lt;- cn=vmailadmin's password
{SSHA}lWt6zjOOUq+2WUmiAea2FXLB4oHMYvIb
</code></pre>
<ul>
<li>
<p>Open the backup file <code>2015-05-10-03:01:01.ldif</code> with your favourite text
editor, find <code>usePassword</code> line of <code>cn=vmail</code> and <code>cn=vmailadmin</code>.
<strong>Important notes</strong>:</p>
<ul>
<li>A line that begins with a SPACE denotes that the characters following the
space are part of the previous line.</li>
<li>There're two colons after <code>userPassword</code> string (<code>userPassword::</code>).</li>
</ul>
</li>
</ul>
<p>Below is a sample copy in <code>2015-05-10-03:01:01.ldif</code>:</p>
<pre><code>dn: cn=vmail,dc=iredmail,dc=org
...
userPassword:: e1NTSEF7F8AwbjVqeER1R1dXVmREN1RJU8NtdnFHN0hnekdWYzVHSG9iWEE9PQ= # &lt;- remove this line
= # &lt;- remove this line
...
dn: cn=vmailadmin,dc=iredmail,dc=org
userPassword:: e1NTSEF9alZi8E12dS9FNllaMktteFh7YkZham1mM3Jqc21cdEFsZjJIeEE9PQ= # &lt;- remove this line
= # &lt;- remove this line
...
</code></pre>
<p>Replace these two <code>userPassword</code> lines by the newly generated ssha passwords,
save your change, exit your text editor.</p>
<pre><code>dn: cn=vmail,dc=iredmail,dc=org
...
userPassword: {SSHA}eJEO2yGVryVw+mZ/Qd2HMSyrl6u9WDhd
...
dn: cn=vmailadmin,dc=iredmail,dc=org
userPassword: {SSHA}lWt6zjOOUq+2WUmiAea2FXLB4oHMYvIb
...
</code></pre>
<p><strong>Important note</strong>: There's only <strong>ONE</strong> colon after <code>userPassword</code> string
(<code>userPassword:</code>).</p>
<ul>
<li>OpenLDAP service must be stopped while restoring backup. So we stop it first:</li>
</ul>
<pre><code># /etc/init.d/ldap stop
</code></pre>
<ul>
<li>
<p>If you enabled additional LDAP schema files on old server, you <code>MUST</code> copy
these schema files to new server, and enable them in OpenLDAP on new server,
also add new indexes for attributes defined in these additional LDAP schema
files if necessary. Otherwise you may not be able to import backup LDIF file
due to missing required attributes.</p>
</li>
<li>
<p>Remove all files under OpenLDAP data directory defined in LDAP config file
<code>slapd.conf</code> (parameter <code>directory</code>) except file <code>DB_CONFIG</code> (this file
doesn't exist if you're running <code>mdb</code> backend, so you can ignore it if you're
running <code>mdb</code> backend).
For example:</p>
</li>
</ul>
<div class="admonition note">
<p class="admonition-title">About file DB_CONFIG</p>
<p>File <code>DB_CONFIG</code> is present if you're running <code>bdb</code> backend.
But <code>mdb</code> backend doesn't need any config file for database, so you can
ignore this file if you're running <code>mdb</code> backend.</p>
</div>
<pre><code># File: /etc/openldap/slapd.conf
...
database bdb
suffix dc=iredmail,dc=org
directory /var/lib/ldap/iredmail.org
...
</code></pre>
<p>So you should remove all files under directory <code>/var/lib/ldap/iredmail.org</code>
except <code>/var/lib/ldap/iredmail.org/DB_CONFIG</code>.</p>
<pre><code># cd /var/lib/ldap/iredmail.org/
# mv DB_CONFIG ~
# rm -rf /var/lib/ldap/iredmail.org/*
# mv ~/DB_CONFIG .
</code></pre>
<ul>
<li>Start OpenLDAP service immediately, then stop it again. it will help create
necessary files required by backend db (<code>dbd</code> in our case, <code>database dbd</code>).</li>
</ul>
<pre><code># /etc/init.d/slapd start
# /etc/init.d/slapd stop
</code></pre>
<ul>
<li>Make sure OpenLDAP server is <strong>NOT</strong> running, then restore backup LDIF file
with command <code>slapadd</code>.</li>
</ul>
<pre><code># slapadd -f /etc/openldap/slapd.conf -l /path/to/backup/backup.ldif
</code></pre>
<ul>
<li>It's OK to start OpenLDAP server now. It may report errors like below:</li>
</ul>
<pre><code># /etc/init.d/slapd start
Stopping slapd: [ OK ]
/var/lib/ldap/iredmail.org/mailMessageStore.bdb is not owned[WARNING]&quot;
/var/lib/ldap/iredmail.org/objectClass.bdb is not owned by &quot;[WARNING]
...
Checking configuration files for slapd: config file testing succeeded
[ OK ]
Starting slapd: [ OK ]
</code></pre>
<p>If you see above warning about improper file ownership, please set correct file
owner on newly created bdb files immediately, then restart OpenLDAP service:</p>
<pre><code># chown ldap:ldap /var/lib/ldap/iredmail.org/*.bdb
# /etc/init.d/ldap restart
</code></pre>
<p>If you're restoring LDAP data from an old iRedMail server, you should add
missing LDAP attribute/values, which are introduced in newer iRedMail releases,
by following step below: <a href="#after-ldap-restore">After LDAP Restore</a>.</p>
<h4 id="how-to-restore-openbsd-ldapd8-backup">How to restore OpenBSD ldapd(8) backup</h4>
<p>iRedMail-0.9.5 and later releases ships script
<code>/var/vmail/backup/backup_ldapd.sh</code> for daily backup. It backs up data with
command <code>ldapsearch</code> (not <code>slapcat</code> - which is used for OpenLDAP), so you have
to restore its data with command <code>ldapadd</code>.</p>
<ul>
<li>Stop ldapd service first.</li>
</ul>
<pre><code>rcctl stop ldapd
</code></pre>
<ul>
<li>Remove all files under ldapd data directory <code>/var/db/ldap/</code>.</li>
<li>Start ldapd service.</li>
</ul>
<pre><code>rcctl start ldapd
</code></pre>
<ul>
<li>
<p>Import backup LDIF file:</p>
<ul>
<li>Please replace <code>cn=Manager,dc=xx,dc=xx</code> by the real LDAP root dn.</li>
<li>Please replace <code>/path/to/backup.ldif</code> by the real path of backup LDIF file.</li>
</ul>
</li>
</ul>
<pre><code># ldapadd -x -D 'cn=Manager,dc=xx,dc=xx' -W -f /path/to/backup.ldif
</code></pre>
<p>If you're restoring LDAP data from an old iRedMail server, you should add
missing LDAP attribute/values, which are introduced in newer iRedMail releases,
by following step below: <a href="#after-ldap-restore">After LDAP Restore</a>.</p>
<h4 id="after-ldap-restore">After LDAP restore</h4>
<p>If you're restoring from an old iRedMail release, you need to add missing LDAP
attribute/values, which are introduced in new iRedMail releases, by running
Python scripts below: <a href="https://github.com/iredmail/iRedMail/tree/master/update/ldap">https://github.com/iredmail/iRedMail/tree/master/update/ldap</a></p>
<p>For example:</p>
<ul>
<li>
<p>If you're restoring iRedMail from <code>0.9.1</code> to <code>0.9.5</code>, you must run all update
scripts for iRedMail-0.9.1 and newer releases. In this case, only file
<code>updateLDAPValues_094_to_095.py</code> listed in above link is required.</p>
</li>
<li>
<p>If you're restoring iRedMail from <code>0.8.6</code> to <code>0.9.5</code>, you need 3 files:</p>
<ul>
<li><code>updateLDAPValues_086_to_087.py</code></li>
<li><code>updateLDAPValues_087_to_090.py</code></li>
<li><code>updateLDAPValues_094_to_095.py</code></li>
</ul>
</li>
</ul>
<p>Please open the file you need to run, for example, <code>updateLDAPValues_094_to_095.py</code>,
find parameters like below:</p>
<pre><code>uri = 'ldap://127.0.0.1:389'
basedn = 'o=domains,dc=example,dc=com'
bind_dn = 'cn=Manager,dc=example,dc=com'
bind_pw = 'passwd'
</code></pre>
<p>Please update them with the correct LDAP prefix (<code>dc=xx,dc=xx</code>) and bind
password, then run it with <code>python</code> command:</p>
<pre><code>python updateLDAPValues_094_to_095.py
</code></pre><div class="footer">
<p style="text-align: center; color: grey;">All documents are available in <a href="https://github.com/iredmail/docs/">GitHub repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://github.com/iredmail/docs/archive/master.zip">download the latest version</a> for offline reading. If you found something wrong, please do <a href="https://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
</div></body></html>
Reference in New Issue View Git Blame Copy Permalink