Mailing List Archive

Server Upgrade
Hi,

I want to upgrade my server from Debian Jessie to Debian Stretch. I am afraid
that at some time during the upgrade process, there is an invalid exim
configuration and messages get rejected. In order to avoid that I was thinking
of either redirecting via DNS to a server which does not listen to port 25 to
enforce the sender to try again. Or redirect via DNS to a server which buffers
all incoming messages until the Stretch setup is tested (not sure which server
software does this though...).

Can anybody recommend one of the approaches or even propose something
better...?

Thanks
Rainer
--
Rainer Dorsch
http://bokomoko.de/



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Server Upgrade [ In reply to ]
On Sat, Apr 13, 2019 at 06:15:33PM +0200, Rainer Dorsch via Exim-users wrote:
> Hi,
>
> I want to upgrade my server from Debian Jessie to Debian Stretch. I am afraid
> that at some time during the upgrade process, there is an invalid exim
> configuration and messages get rejected.

The whole process is not so much about exim as farmore how the packet
management works.

(1) If you have your own configuration file in /etc/exim4/exim4.conf
there will be no such problem.

(2) If you have configured your Exim using the debian packet configuration
there also would be no problem.

(3) If you are running a modified configuration derived from the debian
configuration there might be a glitch but this would be unlikely.

> Can anybody recommend one of the approaches or even propose something
> better...?

- in case of (3) you also can:
- prevent exim from starting: set "exit 0" as first line in /etc/default/exim4
- create a packet filter rule dropping connections to port 25/tcp
- create /etc/exim4/exim4.conf which just makes exim return SMTP error 451

HTH

--
Christian Recktenwald
exim-users-dist@citecs.de

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Server Upgrade [ In reply to ]
On 13 Apr 2019, at 17:15, Rainer Dorsch via Exim-users <exim-users@exim.org> wrote:
> Can anybody recommend one of the approaches or even propose something
> better...?

Stop exim.
Disable exim from running at startup.
Backup your config.

Update

Use diff to check the config; reinstate the original one if necessary

Restart exim.

This will rely on you doing it in a timely fashion - so not over a matter of days, but minutes/small number of hours - and lets the machines sending mail to you manage their retries according to site specific configuration. If you’re not listening, you’re not receiving, so no glitches can occur!

Graeme
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Server Upgrade [ In reply to ]
On Sat, Apr 13, 2019 at 06:15:33PM +0200, Rainer Dorsch via Exim-users wrote:
> I want to upgrade my server from Debian Jessie to Debian Stretch. I am afraid
> that at some time during the upgrade process, there is an invalid exim
> configuration and messages get rejected. In order to avoid that I was thinking
> of either redirecting via DNS to a server which does not listen to port 25 to
> enforce the sender to try again. Or redirect via DNS to a server which buffers
> all incoming messages until the Stretch setup is tested (not sure which server
> software does this though...).
>
> Can anybody recommend one of the approaches or even propose something
> better...?

Upgrade Exim on a minimal test system and check/tune its config.
Do it before the production server upgrade.

You can also check whether old config works fine with new Exim version,
if so, keep it for future use. In Debian completely assembled config is
in file /var/lib/exim4/config.autogenerated.
--
Eugene Berdnikov

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Server Upgrade [ In reply to ]
On Sat, 13 Apr 2019, Rainer Dorsch via Exim-users wrote:

> Hi,
>
> I want to upgrade my server from Debian Jessie to Debian Stretch. I am afraid
> that at some time during the upgrade process, there is an invalid exim
> configuration and messages get rejected. In order to avoid that I was thinking
> of either redirecting via DNS to a server which does not listen to port 25 to
> enforce the sender to try again. Or redirect via DNS to a server which buffers
> all incoming messages until the Stretch setup is tested (not sure which server
> software does this though...).
>
> Can anybody recommend one of the approaches or even propose something
> better...?

I don't know Debian, but I'd hope that if you disable the service
it will stay off during and after the upgrade ?
Can you test on another machine ?

I've watched a process of redirecting the DNS while work was done on the
main server. You could set the backup server as an MX secondary.
You would probably want to?manually switch this machine between holding
the mail and passing it to the MX primary.

Do you have a service-specific IP address, or does your current config
listen on the main machine IP address ?

I have to admit that I've always switched to new (or at least different)
hardware when doing a major OS upgrade.

If you can really afford to redirect to a non-listening server,
a similar option would be to do that at your firewall.

--
Andrew C. Aitchison Cambridge, UK
andrew@aitchison.me.uk
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Server Upgrade [ In reply to ]
Thanks, Eugene, I did not know about /var/lib/exim4/config.autogenerated

Nevertheless, I would prefer, if I could test on the production server itself.

Rainer

Am Samstag, 13. April 2019, 20:15:02 CEST schrieb Evgeniy Berdnikov via Exim-
users:
> On Sat, Apr 13, 2019 at 06:15:33PM +0200, Rainer Dorsch via Exim-users
wrote:
> > I want to upgrade my server from Debian Jessie to Debian Stretch. I am
> > afraid that at some time during the upgrade process, there is an invalid
> > exim configuration and messages get rejected. In order to avoid that I
> > was thinking of either redirecting via DNS to a server which does not
> > listen to port 25 to enforce the sender to try again. Or redirect via DNS
> > to a server which buffers all incoming messages until the Stretch setup
> > is tested (not sure which server software does this though...).
> >
> > Can anybody recommend one of the approaches or even propose something
> > better...?
>
> Upgrade Exim on a minimal test system and check/tune its config.
> Do it before the production server upgrade.
>
> You can also check whether old config works fine with new Exim version,
> if so, keep it for future use. In Debian completely assembled config is
> in file /var/lib/exim4/config.autogenerated.


--
Rainer Dorsch
http://bokomoko.de/



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Server Upgrade [ In reply to ]
Am Samstag, 13. April 2019, 21:37:19 CEST schrieb Rainer Dorsch:
> Thanks, Christian, for your reply.
>
> Am Samstag, 13. April 2019, 19:41:15 CEST schrieb Christian Recktenwald via
>
> Exim-users:
> > On Sat, Apr 13, 2019 at 06:15:33PM +0200, Rainer Dorsch via Exim-users
>
> wrote:
> > > Hi,
> > >
> > > I want to upgrade my server from Debian Jessie to Debian Stretch. I am
> > > afraid that at some time during the upgrade process, there is an invalid
> > > exim configuration and messages get rejected.
> >
> > The whole process is not so much about exim as farmore how the packet
> > management works.
> >
> > (1) If you have your own configuration file in /etc/exim4/exim4.conf
> > there will be no such problem.
> >
> > (2) If you have configured your Exim using the debian packet configuration
> > there also would be no problem.
> >
> > (3) If you are running a modified configuration derived from the debian
> > configuration there might be a glitch but this would be unlikely.
>
> I am running (3), but could attempt to get to a cleaner config during the
> upgrade.
>
> > > Can anybody recommend one of the approaches or even propose something
> > > better...?
> >
> > - in case of (3) you also can:
> > - prevent exim from starting: set "exit 0" as first line in
> >
> > /etc/default/exim4 - create a packet filter rule dropping connections to
> > port 25/tcp - create /etc/exim4/exim4.conf which just makes exim return
> > SMTP error 451
>
> I would feel more comfortable, if I can test the production machine before
> processing "real" mail messages again.
>
> thanks again
> Rainer


--
Rainer Dorsch
http://bokomoko.de/



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Server Upgrade [ In reply to ]
On 2019-04-13, Rainer Dorsch via Exim-users <exim-users@exim.org> wrote:
> Hi,
>
> I want to upgrade my server from Debian Jessie to Debian Stretch. I am afraid
> that at some time during the upgrade process, there is an invalid exim
> configuration and messages get rejected. In order to avoid that I was thinking
> of either redirecting via DNS to a server which does not listen to port 25 to
> enforce the sender to try again. Or redirect via DNS to a server which buffers
> all incoming messages until the Stretch setup is tested (not sure which server
> software does this though...).
>
> Can anybody recommend one of the approaches or even propose something
> better...?

Use iptables rules to block the public allowing only your tests to
reach exim.

If you have not editied any Debian conffiles the upgrade should proceed
smoothly with only a brief outage, no spurious rejects.

during the upgrade process a bad config is much more likely to prevent
exim from running than to cause spurious rejects.

I use Debian's split config wich allows me to separate my config
tweaks from the Debian provided conf files, this vastly reduces the
amount of editing needed during upgrades.

--
When I tried casting out nines I made a hash of it.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Server Upgrade [ In reply to ]
On 13/04/19, Rainer Dorsch via Exim-users (exim-users@exim.org) wrote:
> I want to upgrade my server from Debian Jessie to Debian Stretch. I am afraid
> that at some time during the upgrade process, there is an invalid exim
> configuration

You need to backup all your configuration files, such as those in
/etc/exim4, /etc/mailname and /etc/aliases. (If you are using etckeeper,
take a snapshot or make a tag in your repo.)

Then I suggest two things:
1. run your config on a stretch virtual machine and check all your
directives still work
I seem to remember there were a small slight changes
2. upgrade to stretch exim4 ahead of the rest of your OS

To do that you will need to add stretch to your /etc/apt/sources.list
and alter your /etc/apt/preferences
See https://jaqque.sbih.org/kplug/apt-pinning.html

Eg: you will need this line in /etc/apt/sources.list, altered for your
region:

deb http://ftp.fr.debian.org/debian/ stretch main contrib

and an preferences file something like this.

Package: *
Pin: release a=jessie
Pin-Priority: 700

Package: *
Pin: release a=stretch
Pin-Priority: 300

(My use of release nicknames might be a bit wrong -- I use
stable/testing/unstable on my laptop, with the highest pin-priority
given to stable).

This means you should be able to safely upgrade to exim4 and
dependencies only ahead of your general upgrade by issuing:

apt-get -t stretch install exim4-daemon-heavy exim4-config

or maybe

apt-get -t stretch install --reinstall exim4-daemon-heavy exim4-config

Caveat emptor! You might want to do a stretch vm upgrade in this manner
first.

Rory

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Server Upgrade [ In reply to ]
Hi,

Rainer Dorsch via Exim-users <exim-users@exim.org> (Sa 13 Apr 2019 18:15:33 CEST):
> I want to upgrade my server from Debian Jessie to Debian Stretch. I am afraid
> that at some time during the upgrade process, there is an invalid exim

An invalid Exim (or configuration) should not cause messages to get
lost.

If Exim can't start because of an invalid config, nobody can send you a
message, they will retry later.

If Exim can't acknowlege the message reception (due to runtime problems,
in the ACL), it will tmp reject the message, the sender will retry it.

If Exim can't route/transport the message (because of an invalid
configuration), *after* Exim acknowledged the message to the sender,
Exim will freeze that message and you can handle the problem.

Of course, there are more scenarios, where messages will get lost. But
Exim is fairly robust against such scenarios. Biggest problem are
logical errors, that are no configuration errors. But this is unlikly to
happen, if you've a working config.

The Exim maintainers are careful in retaining compatibility with
configurations written for previous releases.

> configuration and messages get rejected. In order to avoid that I was thinking
> of either redirecting via DNS to a server which does not listen to port 25 to
> enforce the sender to try again. Or redirect via DNS to a server which buffers
> all incoming messages until the Stretch setup is tested (not sure which server
> software does this though...).

Just block (DROP) incoming traffic on Port 25 and do some testing from
IPs you do not block. Or use swaks for ACL testing, use exim -N, exim
-bv, exim -bt for testing.

Redirecting messages to another server may impose more problems,
depending on how this fallback server handles the mail it queued. (E.g.
SPF may be broken for SPF protected domains, if the fallback now
delivers the messages to your box)

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
Re: Server Upgrade [ In reply to ]
On 14/04/2019 02:40, Jasen Betts via Exim-users wrote:
> On 2019-04-13, Rainer Dorsch via Exim-users <exim-users@exim.org> wrote:
>> Hi,
>>
>> I want to upgrade my server from Debian Jessie to Debian Stretch. I am afraid
>> that at some time during the upgrade process, there is an invalid exim
>> configuration and messages get rejected. In order to avoid that I was thinking
>> of either redirecting via DNS to a server which does not listen to port 25 to
>> enforce the sender to try again. Or redirect via DNS to a server which buffers
>> all incoming messages until the Stretch setup is tested (not sure which server
>> software does this though...).
>>
>> Can anybody recommend one of the approaches or even propose something
>> better...?
> Use iptables rules to block the public allowing only your tests to
> reach exim.
>
> If you have not editied any Debian conffiles the upgrade should proceed
> smoothly with only a brief outage, no spurious rejects.
>
> during the upgrade process a bad config is much more likely to prevent
> exim from running than to cause spurious rejects.
>
> I use Debian's split config wich allows me to separate my config
> tweaks from the Debian provided conf files, this vastly reduces the
> amount of editing needed during upgrades.


I prefer a simple life so dumped Ubuntu and Debian due to systemd
entanglement and switched to Devuan 'Ascii' but have now upgraded to
Devuan 'Beowulf' in order to get OpenSSL 1.1.1, TLSv1.3 etc.

Installed build-essential, libsrs-alt and a load of development headers,
pulled Exim 4.92 and compiled from source. Everything compiles clean
under GCC8 and works as expected.

I use a singe, monolithic, configuration file /etc/exim/exim.conf.

I'm just about to make it live on three email relays over the bank holiday.

Life is simple and everything 'just works'(tm) and it ought to ... YMMV ;-)


Mike




--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/