The Transition

Where to make changes

At the IWI, as can be seen in Conference under Docker, iwi200 is the mail server. Its configuration is in the directory /etc/postfix and the files therein. Some of the lists used by postfix were sometimes published via NIS from /etc/mail/primary_mx_hosts/etc/postfix on iwi1, but this no longer seems to be the case. The most important files in either directory are aliases, and virtual.


Please note that aliases often resides in etc instead of in etc/postfix.

The IWI MTA, PostFix, uses these two tables when delivering mail it considers itself the final destination for. In the case of virtual addresses, it looks up the address in the left hand side of the virtual table, and sends it on to the address(es) on the right hand side[49]. Once the address to deliver to is local (i.e. not virtual), the aliases table is used for the same sort of lookup.

Before being delivered, mail received by iwi200 is scanned for SPAM and viruses at iwi202. iwi202 Is also the Authenticated SMTP server. Mail received by iwi202 via ASMTP is not scanned, as the sender is known, and only IWI employees have accounts. iwi202 Is not going to feature prominently in this plan, since it will just become jobless when iwi200 is taken down.

Mail delivery at iwi200 is influenced on a per-user basis by ~/.forward[50], and often also by ~/.procmailrc[51]. If delivered without .forward or .procmail intervention, it will end up in /var/spool/mail/${USER}[52], but procmail can also access home directories, and sort mail into boxes located there.

iwi200 Serves the mailboxes in /var/spool/mail via IMAP and POP. Via IMAP, the users' home directories can also be reached.

Figure 1. Sketch of current mail flow at the IWI
A sketch of the current mail flow at the IWI

Preliminary actions

Before the CIT mail server can start taking over iwi200's duties, a couple of things must be sorted out. Among others, we must know which IWI account maps to which RuG account, and we must have some replacement for the IWI mailing lists. The required steps are listed in Conference under Docker

Procedure 78.  Preliminary steps to be taken before moving the mail

Redirecting the bulk of mail flow

The IWI SMTP server can largely be switched out of the mail circuit by setting the MX record for all domains owned by the IWI to point to the central SMTP server instead of the IWI smtp server. The steps to be taken are in Conference under Docker.

Procedure 79.  Steps to be taken in taking the IWI SMTP server out of the mail flow

Moving the users' mailboxes, and adjusting their settings

We need to take down the old POP/IMAP server as well as the SMTP server, as they are of equal age and state. So the users' mail must be moved from the IWI mailboxes to the central mailserver. This is near trivial, as modern mail programs are able to open both accounts at the same time, and entire mail folders can be dragged from the old account to the new one. The only problem lies in forcing the users to actually move their mail. Best approach is probably to state a deadline, but offer support to those who con't trust themselves with the task. While we 're at it, the users must also be taught to use the CIT mailer for outgoing mail.

Procedure 80.  Adjusting users' settings

Cleanup of iwi200

Now that this is all done, we get to the situation as illustrated in Conference under Docker. All that is left to be done is to watch the logs of iwi200 to ensure there is no mail coming in any more. If need be, the local users' addresses can be put in the relocated table for a while before the service is finally turned off and we end up with Conference under Docker. Turning off the ASMTP service at iwi202 has much lower impact, and can be handled separately.

Figure 4. IWI mail users now talking to CIT servers
A sketch of the mail flow at the IWI with users talking to CIT servers

Figure 5. Sketch of mail flow at the IWI with iwi200 off
A sketch of the mail flow at the IWI with iwi200 off

[49] It does this over and over again until the resulting address occurs in the LHS no more.

[50] if it exists

[51] if that exists and is called from the .forward

[52] MBOX-style

[53] This prevents it from becoming an open relay too.