On Fri, Aug 14, 2009 at 5:17 PM, Sahil Tandon<sa...@tandon.net> wrote: > On Fri, 14 Aug 2009, Timo Sirainen wrote: > >> On Aug 14, 2009, at 12:36 AM, Gary Chodos wrote: >> >>> We have to replace one mail store (foo.example.org) with another >>> (bar.example.org). I rsync'd the maildirs from foo to bar today and >>> the plan is to hold all delivery (in the SMTP server) on foo over the >>> weekend, rsync again (this time it should be much faster since the >>> large xfer already occurred today), then flush the SMTP queue on foo >>> towards bar, direct all new deliveries to bar.example.org. Users >>> currently access their IMAP mailboxes via imap.example.org. I plan to >>> just 'flip the switch' at DNS so imap.example.org points to >>> bar.example.org (instead of foo.example.org) so users don't have to >>> change anything on their end and should not even notice this change. >> >> And I guess you also thought about the DNS cache TTLs? > > The OP should also consider killing dovecot during the rsync (similar to what > another member of this list suggested). Then restart with a new > configuration that proxies incoming IMAP connections towards the new server > in case some clients still hit the old server before full DNS propagation.
To make the proxy feature work I had to allow plaintext auth on 143 from old -> new server. I use firewall rules to prohibit anyone except the old server from accessing the new one on port 143. Does this pose a security issue? Is there something else I should do to prevent security holes?
