hMailServer Backups 2014-03-03
This is how I back up my hMailServer installation, it is not necessarily better than anyone else's backup solution, it is just how I do it. This backup strategy essentially makes a copy of the hMailServer's config and data to a remote location nightly using WinSCP's scripting abilities through an encrypted FreeSSHd tunnel. hMailServer and WinSCP are open source while FreeSSHd is free (source can be purchased). Hopefully this'll help someone who needs a backup plan.
The hMailServer Installation
The first thing you need is a working install of hMailServer. It is not hard to setup and will have three important pieces you will want to back up:
- The data directory (where emails are stored)
- The configuration settings (domains, users, protocols, etc.)
- The database (message list and statuses)
The database and configs are typically not very big, but the data directory can be quite large if you have a lot of email.
The Remote Backup Server
For a remote backup server all you really need is any Windows based PC that can run WinSCP and enough disk space to hold the backups. Obviously you need some kind of Internet connection if this machines is going to be at a remote location, and the faster the connection the faster it can backup (though my crappy DSL connection works for my backups).
On The Mail Server
The mail server needs to do a couple of things prior to the remote backup server's connection, fortunately they don't take long at all. I have a nightly maintenance batch file that runs at midnight and includes these commands:
mysqldump -pPASSWORD -u root hmail > C:\Backups\MySQL\hmail.sql
cscript //b //nologo C:\hMail\Addons\Utilities\StartBackup.vbs
In my hMailServer admin GUI I have gone to the Backup page and setup a location for my backups to go and I have selected to only backup domains and config. I have also edited my StartBackup.vbs and added my admin password so the backups will work.
As you can see, I have created a C:\Backups directory and then directories below it to store data for individual applications. You can store this stuff anywhere you like but I would suggest a nice centralized location which will make your WinSCP scripts a little easier later on.
Now that I have automated the backups of the configs and database, I setup FreeSSHd to allow access to the server from remote. The application installs pretty easily, but the process of making some keys is a little more involved. It is possible to just use name/password authentication but I prefer using keys since it offers an extra layer of security. Open your FreeSSHd settings and make the Authentication tab look like this
This will obviously disable user/password authentication and force the use of keys. It is also important to take note of the Public key folder setting here because you will need to drop a key in to it later. It also makes sense to set the SFTP root directory at this time (see the SFTP tab). If you are appropriately paranoid you may also want to check out:
- the Logging tab, to setup a log file
- the Host Restrictions tab to limit IP's that can connect
- and the SSH tab to set a non-standard port for SSH
Now before you make a user, it probably makes sense to make your user a key for logging in with. Grab up PuTTYGen and run it on your mail server. Change the number of bits at the bottom right from 2048 to 1024 and click Generate. It will ask you to move the mouse around to generate random data and then eventually present you with your key.
Select the text in the box as shown, copy and paste it in to a file named backup with no extension in the Public key folder that you took note of above. The name of this file is important because it must match the name of the user you will create in FreeSSHd and the content must all be on one line when pasted in. If your key authentication is not working it is very likely this step that is going wrong.
You can elect to include a password here or not but it would seem a little silly not to. Now click the Save private key button and save it on your remote server (or at least somewhere safe that you can use to transport it to your remote server).
Now that you have your keys all set, go back to your FreeSSHd and create a user named backup after the file you dumped in the Public key folder. Give this user SFTP permissions and set his password to key authentication.
On Your Router
In order for your backups to work from remote you'll need to forward the appropriate port from your FreeSSHd setup above to your mail server. Since you have already had to forward tcp port 25 to your mail server to get it working, I have got to assume you can forward some other port as well. if you are feeling really adventurous you can take a stab at a manual Debian based router featuring iptables and ipset.
The Remote Backup Server
Over on your remote server you now need to setup WinSCP and give it the key (the .ppk portion that is). The install is pretty straightforward, and once you have it running you need to setup a new session like this:
Hostname is obviously the external name to access your mail server, port is the non-standard port you should have set FreeSSHd to run on, username is the exact name (remember the lecture from before) as in FreeSSHd, and the password is the password you set in PuTTYGen when you saved the .PPK file. Then you have to click on the Advanced button which opens a new window... in this new window you click Authentication in the left pane and browse to the .PPK in the right pane. If WinSCP bitches that it doesn't understand the format of your .PPK don't worry, it'll still work, click Ignore and move on.
There are a parade of options you can set in WinSCP, feel free to peruse them all but frankly many of them are fine at their defaults. Save the session (I used the name backup_hmail in this example) and include the password even though WinSCP will warn you about it. Try connecting and hopefully if everything worked you'll get a local and remote directory listing kind of like a typical GUI FTP client. Next, to automate the backups you need to make a batch file that can be scheduled, and a WinSCP script that handles the connection and sync. The batch file is easy... it looks like this:
cd "\program files\winscp"
A good idea is to of course set this to run a little after your scheduled task on the mail server so the database and config backups get included in the sync. The WinSCP script is only marginally more complicated than the batch file:
option batch continue
option confirm off
option reconnecttime 9
synchronize local -speed=32 -transfer=binary -criteria=time -delete "D:\Backups\Thing1" "/Backups/Thing1"
synchronize local -speed=32 -transfer=binary -criteria=time -delete "D:\Backups\Thing2" "/Backups/Thing2"
In the first line backup_hmail is the name you used when you saved the session, the next few options are just for running automated, and then the synchronize lines do the actual work. The options should be fairly self explanatory but I think it is important to note:
- local: This means that the local side of the sync changes, and the remote does not. In short, all changes propagate towards the backup server.
- speed=32: I limit my transfers to 32kbps just to keep it from soaking up my bandwidth, even if you don't want to limit yours I would suggest limiting it to 90% of your available bandwidth anyways.
- transfer=binary: File sizes seemed to be different if not using this. I am under the impression that this is the difference in CRLF characters in Windows vs. *ix.
- criteria=time: I found this necessary to make downloading only changed items work properly. Without it my scripts would keep downloading everything.
- delete: This means that if an email (or other file) is deleted at the source, then it will be deleted in the backup. If you do not include this then the emails could start to pile up on your backup server.
Finally, the last two arguments are the source and destination. There is plenty of documentation at the WinSCP site about their scripting features, the synchronize command is likely to be the one you are most interested in.
There are no notifications and there is little error checking in this setup so it is not a bad idea to run the batch file manually now and then so you can watch it to see if anything barfs. If anyone uses this or has any suggestions or comments I'd love to hear about it.