Copy the disc

At the destination server start netcat listening to a port (in this example 43333), redirecting all its input to a file. If you connect using SSH do it in a screen so you can close the session.

At the origin server use dd to dump its disk. It is then compressed and sent to the netcat at port 43333 waiting with the command above. Gzip compresses the stream and reduces the amount of data to be transferred over the net. Our disk was 72 GB and took 4 hours to 10 Mbps, via the Internet.

Note: The syntax of nc depends on the package you have installed. In this example it is netcat-openbsd.

Review the file systems

Now you have a disk image named disk.raw in the desination server. But the origin server was accessing its filesystems while dd was reading: you should run an fsck of them. If you are lucky the filesystem should not be badly damaged.

In Linux you can configure a file to be treated as a device assigning it to a loop device. We check the next free loop device.

Assign disk.raw to loop0 and it can be accessed using /dev/loop0

Now read loop0 partitions and create appropriate devices to access it, we use kpartx.

The partitions are accessible via /dev/mapper/loop0p[n]. Do an fsck.

At this point you can mount the partitions to verify that the files are indeed there and maybe fix the device names in /etc/fstab.

Before starting the virtual machine, you need to undo this process to prevent damage to the filesystem.

Create the virtual machine

Create a KVM virtual machine with disk.raw attached and try booting.

It may not boot because the device name of the disc may have changed and the kernel does not find the root filesystem. Using the KVM console you will have to fix the line in GRUB or LILO, correcting the root = option in the kernel line. When it finally boots remember to fix the boot loader and /etc/fstab.

In our case the physical device /dev/cciss/c0d0p[n] became /dev/hda[n] in the VM.

Wrapping up

You must configure the new virtual network interface and verify that the services work properly.

During the virtualization the data on the original physical server has been updated and it must be synchronized before any real server change. So stop the service within a maintenance window, sync the data and then you can change DNS zones or whatever. Downtime has been minimized.

The procedure explained here is about how to tell a Postfix filter which are the recipients of an Exchange MTA and thus avoid becoming a backscatter

What is Backscatting?

When a server receives an email for an address that does not exist, it should reject it during the SMTP conversation, when the origin server is still connected. Thus the origin can inform the real sender about the problem. Otherwise, if the server accepts an email which is unable to deliver, it must generate a bounce that will be sent to the mail “From” header. Spammers manipulate the sender header of messages, and a misconfigured server ends up sending spam bounces. This type of spam is called Backscatter.

Postfix in front of an Exchange

In our scenario we have a Postfix MTA that receives mail, checks it with for spam, virus and other policies, and finally sends it to a Microsoft Exchange. Since this Postfix MTA does not have mailboxes, we were accepting all mail addressed to our domains. After a while our IP was added to a blacklist for Backscatting.

To fix this we need to know which mailboxes exist in Exchange, in order to reject emails to recipients that does not exist.

The easy part is the Postfix setup, at main.cf we add relay_recipient_maps, to check recipients.

we create /etc/postfix/relay_recipients with mailbox list, like this:

we need to do postmap and reload postfix

Keep the list updated

We are not generating Backscatting any more, but must keep the mailbox list up to date. That list is stored in an ActiveDirectory, to get it we used this VBS script, with some changes:

the script output looks like this:

the script is called daily from a scheduled task and writes the mailbox list to a file named virtual.txt
To access this file from Postfix server we decided to mount its folder with cifs+autofs. We installed and configured autofs:

so when accessing to /auto/activedirectory it will mount //192.168.1.17/spamassassin through samba, that’s where we left the VBS script and the virtual.txt file

Finally another script, called from cron, updates the relay_recipients file and restarts postfix if anything changed

PHP4 as CGI

In order to install php4-cgi we choose to add the amazing debian snapshots archive to apt sources.list. This gives us access to old Debian packages (there are other methods).

install php4 normally

to configure an Apache VirtualHost to use PHP4 instead of PHP5 add this configuration: