It’s been three and a half years since the last post. But nothing much changed in our infrastructure and apparently those are the only posts that actually get published here. Now its time to change everything up again.
In the last three some years the container landscape has changed considerably again. From pure docker containers to orchestration environments that put full blown enterprise software to shame. All in the name of availability. Might as well also jump on that ship. Even if not full-blown kubernetes.
Having work experience with kubernetes on the side made me appreciate the separation and security of a complete container based stack of software. And some cool projects have sprung up over the last few years that made the use of software we depend on a lot easier. Especially cutting down on adminstration time in case something did blow up.
One of the last bastions of administration efforts was the mail setup which was a legacy setup that has moved along for the last 11 years. It started out as courier and exim4 and was later migrated to postfix and dovecot. Which I would consider the current default everywhere. This brought with it some legacy data that needed converting. While maildir is still the standard in non-enterprise environments our password hashes definitely weren’t, while safe they just weren’t available anymore.
Our new mail setup would be using mailu which further reduced the available hash algorithms as it uses the python passlib. So we had to improvise a little and convert some hashes along the way on the old system. It’s quite the common issue so Dovecot does have some documentation on the topic. Which I used to scrap together a quick script that converted the plain passwords to a supported new format:
#!/bin/sh
NEW_HASH=$(doveadm pw -s SHA256-CRYPT <<EOF
$PLAIN_PASS
$PLAIN_PASS
EOF
)
mysql -umigration -pmigration -Dmigration -e "REPLACE INTO mailu values ('${USER}', '${NEW_HASH}');"
exec "$@"
service imap {
executable = imap imap-postlogin
[...]
}
service imap-postlogin {
executable = script-login /etc/dovecot/migration.sh
unix_listener imap-postlogin {
}
}
userdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
default_fields = plain_pass=%w
}
I used some other setup specific shell scripts to write out mailu user, domain and alias import lines for the mailu setup and moved all the maildirs to the new docker volumes. The migration went along without a hitch.
Further on the frontend side, as most everything is now containerized the awesome traefik reverse proxy handles all incoming HTTPS requests and also takes care of the certificates for us.
Concerning backups restic proved itself to be an excellent approach, creating snapshots every hour of all the important data.
In the end we now some 28 containers handling everything from E-Mail to XMPP to personalized Nextcloud instances. And my adminstration efforts have been halved. I’d count that as a success. And there are still some cool new programs on the horizon like podman that could further improve security and accessibility of the server.