Allen Pomeroy

Blog of an IT security specialist .: beta :.

IMAP mailstore migration .. again

Tags: , , , ,

So last weekend, I discovered that Spamhaus decided it would be a good idea to place all of the public IP addresses for Slicehost (my Linux VPS hoster) into their Spamhaus block list (SBL). This covered both my slice in Dallas and the one in St. Louis – meaning an impressive chunk of inbound mail to my domains was being trashed by the sending MTA and an even bigger chunk of my outbound mail was being outright rejected since the sending IP’s were on the SBL.  Slicehost worked hard to convince Spamhaus to recind the blocklist, so the Slicehost IP’s got moved over to the less-nasty-but-you’re-still-probably-a-spamming-dirtbag Policy Block list (PBL) assuming affected IP owners would request to be removed from that list.

Sample query to see if you’re on any Spamhaus block list:  http://www.spamhaus.org/query/bl?ip=10.11.12.13

It seems it’s time to relinquish the care and feeding of my own Postfix mail system and turn to a hosted solution.  This means I need to migrate about 5GB of IMAP store to another site (again).  Last time I did a wholesale migration, I used imapsync to make the transition painless. In the code example below, an SSL connection to the IMAPS server at imap-server.sourcedomain.com is made with username@sourcedomain.com and the password stored in the plaintext file secret1. An SSL connection is made to the target system (which happens to be the server on which the imapsync tool is running, but could just as easily be another IMAPS server somewhere on a network accessible to the host where imapsync is running). The –delete and –expunge1 arguments will clean the successfully moved messages from IMAP store #1 .. so be sure you have your messages on the target successfully! Imapsync can be run iteratively to ensure you have got all the messages from your source.


/usr/bin/imapsync \
--host1 imap-server.sourcedomain.com \
--ssl1 \
--authmech1 LOGIN \
--user1 username@sourcedomain.com --passfile1 secret1 \
--host2 127.0.0.1 --user2 username@targetdomain.com --passfile2 secret2 \
--ssl2 \
--delete --expunge1 \
--buffersize=128

And one can use the

--dry

option to just test the process but not actually move any of the messages.

So that’s it – I’m about half way though migrating my current IMAP stores over to a hosted mail solution, so that I don’t need to keep up with the increasing level of care and feeding that running your own mail service requires.  Before I get too many darts about that .. I first started running my own personal MTA in 1995, adding spam and av filtering over time, and adding substantial redundancy (servers, sites, storage) so I could rely on it and fix things that broke as I had time rather than right when they broke (which was always at a bad time).  My new hosted solution takes over from two VPS servers running Postfix, Spamassassin, ClamAV, Greylisting with the IMAP store replicated across data centers in different states (15 minute rsyncs).  So soon, the (hopefully) last Allen Pomeroy owned and operated MTA can be turned off, while I get to work on fun stuff, rather than figuring out why my email is bouncing.  :-)

Setup IMAPS on iPhone 3G with self-signed certificates

Tags: , ,

So setting up my shiny new iPhone 3G for IMAPS email was not entirely straight forward.  (-:  There are two complicating factors that I ran into.  For IMAP over SSL (IMAPS) connections to a mail server that is using a digital certificate that is signed by a well known certificate authority AND running on the default TCP port 993, no problems.  You may have a be a bit patient as the mail app on the iPhone accepts the certificate.  For less standard mail server implementations, read on …

I am using a server certificate that is in essence a self-signed certificate – it is signed by CAcert.org, however very few (if any) browsers and mobile devices trust or even know of CAcert.org.  In this case, you will need to be patient while the iPhone mail app finally rejects the server certificate as untrusted.  The dialogue box will acknowledge the mail server certificate is invalid and will ask if you want to continue.  Accept the continue option and eventually (took about 5 minutes for my iPhone) the iPhone will accept the ‘invalid’ certificate.

Now, if you are using a mail server that has IMAPS running on a non-standard port (anything other than TCP 993), you must first establish the connection and have the iPhone accept the certificate over port 993.  Once the mail account is setup initially, then you can go change the port to something non-standard.

Once I get a chance I’ll post some screen shots.

Countdown Timer

  • SBG:
    in 1 month, 27 days, 23 hours, 38 minutes
  • Educational Emancipation Day:
    in 4 months, 13 days, 5 hours, 38 minutes

RSS MSBull

RSS US-CERT

RSS CanGovPubSafety

RSS SecFocus

Recent Posts

Categories

IT Security

User

Archives

Tags

Random Quote

Patience. Trust. Knowledge. Wisdom. Balance. Kanji tattoos I have and attributes I strive for in my current MSc program. — Allen Pomeroy

© 2009 Allen Pomeroy. All Rights Reserved. This is the personal website of Allen Pomeroy. Opinions expressed are not necessarily those of my employer.