Configuring the synchronization of two iRedMail mailers on two channels
What is available
What is required
Ensuring the fault tolerance of the mail server when one of the mail servers fails or the channel of one of the providers falls. The ability to carry out those. work, testing new modules, etc. on one of the mail servers. Cluster Similarity Organization
Scheme
Why is it so
iRedMail is an OpenSoures mailer, the foundation of postfix, dovecot, openldap, antivirus, antispam (we look at the official site ). All packages are native, support system updates apt-get update, upgrade, support for the Russian language and in the admin panel too. I foresee statements that all these designers are not good - “I will put everything in and set up”, I won’t argue ... it's just my experience - I’m sharing what I have.
1. Install Ubuntu 12.04 LTS x64(we forget about SSH, because how to steer remotely ... :))
go to the page of the iRedMail installation guide. We use everything as prescribed - ubuntu 12.04 LTS, RAM - 250Mb, HDD - 10G (not enough for a mailer, but we will store mailboxes on a separate server)
2. We will carry out preparatory activities
To store mail we will use a mounted folder on another server, which will give us the ability to disable or overload any of the clustered mail servers without fear of losing access to user mailboxes.
There are two options for mounting SAMBA and NFS, the best solution, I think NFS because it’s native, they say the speed is faster and loads the processor less. I will describe both options, you decide what to use.
2.1 NFS
We install NFS support on the mail storage server:
Create a folder for storing mail
We create a user vmail with UID 1001 (if you installed iRedMail on a mailer on a clean system, it will be with that UID) with the home folder / var / vmail-str and shell / sbin / nologin.
Export rules
Our letters will be stored here, we open it by NFS.
2.2 SMB (currently does not work - error with access / rights)
3. On the client (or rather, on one of the servers with iRedMail) we connect the folder via NFS
Install the NFS client
Edit / etc / fstab
adding a line
4. The installation of iRedMAIL itself is quite well described at the office. manufacturer’s website.
www.iredmail.org/doc.html
Installation was performed on the Ubuntu server 12.04 LTS.
Then everything is as in the standard manual
and further on the manual .
After installing at least one server, you need to check the rights in the / var / vmail directory (remember, it connects to us from the MAIL-STORAGE server)
should be like this:
If necessary, change by going to our MAIL-STORAGE:
5. Installing iRedAdmin-Pro (we bought),
unpack the archive
rewrite rights
change symlink
copy settings
You can go to the admin panel
6. Repeat steps 3, 4 and 5
for the second and Nth servers. As a result, we get N servers with iRedMail that have users as their repository - their LDAPs and mail storages are one array - MAIL-STORAGE.
7. Configuring LDAP synchronization.
Choose a replication method - mirror (when disconnecting any server, all the others continue to work and serve clients)
From. site excerpt .
7.1 First of all, add a line to /etc/ldap/slapd.conf
for without this there will be no synchronization at all, and the addition of this parameter is not described explicitly.
Next, configure the provider / consumer 192.168.1.10
In the main directives (at the beginning of the /etc/ldap/slapd.conf file), add the server ID
At the end of the file, add:
Immediately set up as a consumer
The most difficult thing is not to make a mistake and find binddn credentials.
And we are looking from the file: iRedMail.tips in the directory where the mailer was installed or in the letter that came to the administrator to which we will connect (192.168.1.20) We are looking for the line
This will be our username and password.
You also need to add the provider functions to /etc/ldap/slapd.conf:
7.2 Next, configure the provider / consumer 192.168.1.20
In the main directives (at the beginning of the /etc/ldap/slapd.conf file), add the server ID
At the end of the file, add:
Immediately set up as a consumer
We are looking for a file: iRedMail.tips in the directory where the installed or mailer who came in a letter to the administrator to which will be connected (192.168.1.10) We are looking for line
This will be our username and password.
You also need to add the provider functions to /etc/ldap/slapd.conf:
8. We restart LDAP on both servers and look at the log:
If something like that popped up
So something is wrong and you need to carefully edit slapd.conf
10. Check
We go to the admin panel of one and the other server.
Add the user, domain, etc. And look at his appearance on the second server.
We perform actions to delete, modify, add data to one server and check from the appearance on another.
11. Conclusion
We received a mail cluster running on two Internet channels over two white IPs.
Provided that we have two IPs registered in the DNS for one domain name
mail.domain.my - 1.1.1.1
mail.domain.my - 2.2.2.2
and the availability of two DNS under different channels we have:
If one of the channels fails or exits standing (service shutdown) of one of the mail servers, clients will have access and service on the second mail server.
Also, some unloading of channels and servers is achieved with random delivery of IP mailers to DNS servers.
12. Sources
- Two Internet channels from different providers
- Two different pools of IP addresses (1.1.1.1/28, 2.2.2.1/28)
- Two DNS servers on their own sites supporting the doman.my zone with MX mail.domen.my records - 1.1.1.1; mail.domain.my - 2.2.2.2
- Two PTR records for two providers (1.1.1.1 - mail. domain.my, 2.2.2.2 - mail. domain.my)
- SSL certificate for * .doman.my domain
- Inside DMZ, mailers will have IP 192.168.1.10 and 192.168.1.20
What is required
Ensuring the fault tolerance of the mail server when one of the mail servers fails or the channel of one of the providers falls. The ability to carry out those. work, testing new modules, etc. on one of the mail servers. Cluster Similarity Organization
Scheme
Why is it so
iRedMail is an OpenSoures mailer, the foundation of postfix, dovecot, openldap, antivirus, antispam (we look at the official site ). All packages are native, support system updates apt-get update, upgrade, support for the Russian language and in the admin panel too. I foresee statements that all these designers are not good - “I will put everything in and set up”, I won’t argue ... it's just my experience - I’m sharing what I have.
1. Install Ubuntu 12.04 LTS x64(we forget about SSH, because how to steer remotely ... :))
go to the page of the iRedMail installation guide. We use everything as prescribed - ubuntu 12.04 LTS, RAM - 250Mb, HDD - 10G (not enough for a mailer, but we will store mailboxes on a separate server)
2. We will carry out preparatory activities
To store mail we will use a mounted folder on another server, which will give us the ability to disable or overload any of the clustered mail servers without fear of losing access to user mailboxes.
There are two options for mounting SAMBA and NFS, the best solution, I think NFS because it’s native, they say the speed is faster and loads the processor less. I will describe both options, you decide what to use.
2.1 NFS
We install NFS support on the mail storage server:
$sudo apt-get install nfs-kernel-server nfs-common
Create a folder for storing mail
$sudo mkdir /var/vmail-str
We create a user vmail with UID 1001 (if you installed iRedMail on a mailer on a clean system, it will be with that UID) with the home folder / var / vmail-str and shell / sbin / nologin.
Export rules
$sudo vim /etc/exports
/var/vmail-str 192.168.1.0/24(rw,sync,no_root_squash,no_subtree_check)
Our letters will be stored here, we open it by NFS.
2.2 SMB (currently does not work - error with access / rights)
Install the SMBFS package
- mail storage, mount the ball here.
Add a line to / etc / fstab
There is an unresolved problem: the mailer cannot access the mail storage folder on the SMB server, although the rights are 0777 root: root on all folders in the / var / vmail / directory. It is necessary to dig towards the rights on the side of the SMB server
sudo apt-get install smbfs
mkdir /var/vmail
- mail storage, mount the ball here.
Add a line to / etc / fstab
//192.168.1.3/vmail /var/vmail smbfs user=pochta,pass=pismo,rw,utf8,dir_mode=0777,file_mode=0777 0 0
There is an unresolved problem: the mailer cannot access the mail storage folder on the SMB server, although the rights are 0777 root: root on all folders in the / var / vmail / directory. It is necessary to dig towards the rights on the side of the SMB server
3. On the client (or rather, on one of the servers with iRedMail) we connect the folder via NFS
Install the NFS client
$sudo apt-get install nfs-common
Edit / etc / fstab
adding a line
192.168.1.3:/var/vmail-str /var/vmail nfs user,rw 0 0
4. The installation of iRedMAIL itself is quite well described at the office. manufacturer’s website.
www.iredmail.org/doc.html
Installation was performed on the Ubuntu server 12.04 LTS.
Then everything is as in the standard manual
hostname -f...
post-t1.domen.my
and further on the manual .
After installing at least one server, you need to check the rights in the / var / vmail directory (remember, it connects to us from the MAIL-STORAGE server)
should be like this:
$sudo ls -l /var/vmail
drwxr-xr-x 4 root root 4096 июля 5 03:30 backup
drwx------ 2 vmail vmail 4096 июня 18 16:03 sieve
drwx------ 6 vmail vmail 4096 сент. 10 13:23 vmail1
If necessary, change by going to our MAIL-STORAGE:
$sudo chown -R vmail:vmail /var/vmail/vmail1
$sudo chown -R vmail:vmail /var/vmail/sieve
5. Installing iRedAdmin-Pro (we bought),
unpack the archive
$tar xfz iRedAdmin-Pro-LDAP-1.7.2.tar.bz2 /usr/share/apache2
rewrite rights
$sudo chown -R iredadmin:iredadmin iRedAdmin-Pro-LDAP-1.7.2/
change symlink
$sudo ln -s /usr/share/apache2/iRedAdmin-Pro-LDAP-1.7.2/ /usr/share/apache2/iredadmin
copy settings
$sudo cp /usr/share/apache2/iRedAdmin-0.1.8/settings.ini /usr/share/apache2/iRedAdmin-Pro-LDAP-1.7.2/
You can go to the admin panel
https: // ip_server / iredadmin /login: postmaster@domen.my pass:% which% was entered during installation
6. Repeat steps 3, 4 and 5
for the second and Nth servers. As a result, we get N servers with iRedMail that have users as their repository - their LDAPs and mail storages are one array - MAIL-STORAGE.
7. Configuring LDAP synchronization.
Choose a replication method - mirror (when disconnecting any server, all the others continue to work and serve clients)
From. site excerpt .
To read
18.2.3. Mirror Mode Replication (MirrorMode)
Mirror mode is a hybrid configuration that provides all the guarantees of data integrity, as when replicating with one main server, while providing high availability, as when replicating with several main servers. In mirror mode, two providers are configured to replicate from each other (as is the case with several main servers), however, a certain external interface is used that directs all update requests to only one of the two servers. In the event of a failure of the first provider, the above interface will switch all update requests to the second provider, and he, in turn, will accept and process them. When restoring and restarting a failed provider, it will automatically request all changes from a functioning provider and will be re-synchronized.
18.2.3.1. Positive aspects of replication in mirror mode
High-availability (HA) solution both for catalog update operations and for subsequent synchronization acquisitions by consumer replicas.
As long as at least one provider is operational, you can safely accept update operations.
Provider servers are replicated from each other, so they are constantly up to date and constantly ready to replace each other (hot swap).
Syncrepl also allows vendor nets to re-synchronize after idle periods of any duration.
18.2.3.2. Negative mirror-mode replication
Replication in mirror mode is not what is usually called a solution with several main servers, because update operations at a certain point in time are accepted only by one of the mirror servers.
Mirror mode can be designated as two active servers with hot-swapping each other (Active-Active Hot-Standby), therefore, to decide which of the provider servers is currently active, you need an external server (slapd in proxy mode) or a device (hardware balancer load).
Somewhat different backup management:
If you back up the Berkeley database itself and periodically back up the transaction log files, then until the next backup of the database is made, you need to make copies of the log files of the same server from a pair of mirror servers.
Delta-Syncrepl is still not supported.
Mirror mode is a hybrid configuration that provides all the guarantees of data integrity, as when replicating with one main server, while providing high availability, as when replicating with several main servers. In mirror mode, two providers are configured to replicate from each other (as is the case with several main servers), however, a certain external interface is used that directs all update requests to only one of the two servers. In the event of a failure of the first provider, the above interface will switch all update requests to the second provider, and he, in turn, will accept and process them. When restoring and restarting a failed provider, it will automatically request all changes from a functioning provider and will be re-synchronized.
18.2.3.1. Positive aspects of replication in mirror mode
High-availability (HA) solution both for catalog update operations and for subsequent synchronization acquisitions by consumer replicas.
As long as at least one provider is operational, you can safely accept update operations.
Provider servers are replicated from each other, so they are constantly up to date and constantly ready to replace each other (hot swap).
Syncrepl also allows vendor nets to re-synchronize after idle periods of any duration.
18.2.3.2. Negative mirror-mode replication
Replication in mirror mode is not what is usually called a solution with several main servers, because update operations at a certain point in time are accepted only by one of the mirror servers.
Mirror mode can be designated as two active servers with hot-swapping each other (Active-Active Hot-Standby), therefore, to decide which of the provider servers is currently active, you need an external server (slapd in proxy mode) or a device (hardware balancer load).
Somewhat different backup management:
If you back up the Berkeley database itself and periodically back up the transaction log files, then until the next backup of the database is made, you need to make copies of the log files of the same server from a pair of mirror servers.
Delta-Syncrepl is still not supported.
7.1 First of all, add a line to /etc/ldap/slapd.conf
# Modules.
moduleload syncprov.la
for without this there will be no synchronization at all, and the addition of this parameter is not described explicitly.
Next, configure the provider / consumer 192.168.1.10
In the main directives (at the beginning of the /etc/ldap/slapd.conf file), add the server ID
serverID 1 # у каждого сервера свой
At the end of the file, add:
index objectClass,entryCSN,entryUUID eq,pres
Immediately set up as a consumer
syncrepl rid=001
provider=ldap://192.168.1.20
bindmethod=simple
interval=00:00:10:00
binddn="cn=vmail,dc=domen,dc=my"
credentials=yzjiFdasfkoZSDbladfjoweotHgWiNxFHcb
searchbase="dc=domen,dc=my"
schemachecking=off
type=refreshAndPersist
retry="60 +"
The most difficult thing is not to make a mistake and find binddn credentials.
And we are looking from the file: iRedMail.tips in the directory where the mailer was installed or in the letter that came to the administrator to which we will connect (192.168.1.20) We are looking for the line
* LDAP bind dn (read-only): cn=vmail,dc=domen,dc=my, password: yzjiFdasfkoZSDbladfjoweotHgWiNxFHcb
This will be our username and password.
You also need to add the provider functions to /etc/ldap/slapd.conf:
mirrormode on
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
7.2 Next, configure the provider / consumer 192.168.1.20
In the main directives (at the beginning of the /etc/ldap/slapd.conf file), add the server ID
serverID 2
At the end of the file, add:
index objectClass,entryCSN,entryUUID eq,pres
Immediately set up as a consumer
syncrepl rid=001
provider=ldap://192.168.1.10
bindmethod=simple
interval=00:00:10:00
binddn="cn=vmail,dc=domen,dc=my"
credentials=lkfjalfkoZSDbladfjoweotHSDFasjfASfj
searchbase="dc=domen,dc=my"
schemachecking=off
type=refreshAndPersist
retry="60 +"
We are looking for a file: iRedMail.tips in the directory where the installed or mailer who came in a letter to the administrator to which will be connected (192.168.1.10) We are looking for line
* LDAP bind dn (read-only): cn=vmail,dc=domen,dc=my, password: lkfjalfkoZSDbladfjoweotHSDFasjfASfj
This will be our username and password.
You also need to add the provider functions to /etc/ldap/slapd.conf:
mirrormode on
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
8. We restart LDAP on both servers and look at the log:
$ sudo service slapd restart && sudo tail -f /var/log/syslog | grep slpad
$ sudo service slapd restart && sudo tail -f /var/log/syslog | grep slpad
If something like that popped up
Oct 24 11:35:03 server slapd[6992]: slap_client_connect: URI=ldap://192.168.1.10 DN="cn=vmail,dc=domen,dc=my" ldap_sasl_bind_s failed (-1)
Oct 24 11:35:03 server slapd[6992]: do_syncrepl: rid=001 rc -1 retrying
So something is wrong and you need to carefully edit slapd.conf
10. Check
We go to the admin panel of one and the other server.
https://192.168.1.10/iredadmin/ https://192.168.1.20/iredadmin/
Add the user, domain, etc. And look at his appearance on the second server.
We perform actions to delete, modify, add data to one server and check from the appearance on another.
11. Conclusion
We received a mail cluster running on two Internet channels over two white IPs.
Provided that we have two IPs registered in the DNS for one domain name
mail.domain.my - 1.1.1.1
mail.domain.my - 2.2.2.2
and the availability of two DNS under different channels we have:
If one of the channels fails or exits standing (service shutdown) of one of the mail servers, clients will have access and service on the second mail server.
Also, some unloading of channels and servers is achieved with random delivery of IP mailers to DNS servers.
12. Sources