Alpine Linux - User contributions [en]

Protecting your email server with Alpine

2025-09-08T20:51:59Z

Chocolatine31: correcting few typos in the commands formating

{{Obsolete|These directions are for Alpine 1.7..............}}

This document will outline how you can setup a spam/virus gateway with Alpine Linux. I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

First thing I want to mention is, it is probably not a good way to setup Postfix on a disk less system (having the mailer spool in memory). If you would ever suffer from power failure you would loose the contents of your Postfix spool. That said, in our organization we are using a UPS device to supply our servers with backup power, so the chances that our server would shutdown because of power failure is minimal (and we are prepared to take this risk).

For this particular setup we are going to use the following:

* Mailer daemon: Postfix
* Virus scanner: Clamav
* SMTP filter: Clamsmtp
* Greylisting server: Gross
* Extra definitions: SaneSecurity & MSRBL
* Exchange 2003 users/groups in relay_recipient_maps
* Alpine Linux 1.7.19 (some packages are not available before this version)

== Setting up the Mailer daemon ==
The first thing we are going to install is our mailer daemon:

{{Cmd|apk add postfix}}

This will install Postfix with a default configuration in /etc/postfix. Lets first take a look at main.cf, this is the (as the name implies) main configuration file for Postfix. I will show you my configuration file which you can use (I've commented out some options which we enable later on):

mynetworks = '''lan-net'''/24, 127.0.0.0/8
transport_maps = hash:/etc/postfix/transport
relay_domains = $transport_maps
smtpd_helo_required = yes
'''disable_vrfy_command = yes'''
#relay_recipient_maps = hash:/etc/postfix/exchange_receipients

smtpd_recipient_restrictions =
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_unauth_destination,
#check_policy_service inet:127.0.0.1:5525,
#
# in case you want reject DNS blacklists rather than greylist them
# with gross, uncomment the lines below
#
# reject_rbl_client cbl.abuseat.org,
# reject_rbl_client sbl.spamhaus.org,
# reject_rbl_client pbl.spamhaus.org,
# reject_rbl_client bl.spamcop.net,
# reject_rbl_client list.dsbl.org,
permit

smtpd_data_restrictions =
reject_unauth_pipelining,
permit

#content_filter = scan:[127.0.0.1]:10025

{{Note|Don't forget to change '''lan-net''' to your lan subnet.}}

These are the minimal settings I use to setup a postfix mail gateway. If you are looking for other settings please issue the following command:

{{Cmd|postconf |more}}

This will display your current default configuration. If you want to change any of these settings you can add them to main.cf and reload postfix. Looking at my main.cf file you will see the setting "transport_maps". This setting refers to a file inside the postfix config directory which will hold information for postfix to which server it should forward email to. It should look similar like this:

domain-a.tld smtp:[192.168.1.1]
domain-b.tld smtp:[192.168.1.2]

When ever an email enters our mail gateway for a domain specified in our "transport_maps" file it will forward this email after processing to the IP address assigned. For complete documentation please refer to the postfix docs. When are ready editing this file, issue the following command:

{{Cmd|postmap /etc/postfix/transport}}

This will create a hash db of this file which will be easier/faster for postfix to read. The second setting we will look at is 'relay_domains". This setting will tell postfix for which domains it will relay emails. Because this setting will most probably be the same as the domains we mention in "transport_maps" we can just link to it. Now your basic email gateway is ready and you can start it but remember there will be no virus or spam filtering.

{{Cmd|rc-service postfix start}}

We can start it at boot:

{{Cmd|rc-update add postfix}}

== Setting up the Virus scanner ==

To be able to filter out viruses from our emails we need a virus scanner. The only real open-source solution available is Clamav. Lets install it:

{{Cmd|apk add clamav}}

We will be using the daemonized version of Clamav "clamd". There is nothing we need to change for Clamav, we can use the default settings and the virus definitions are automatically updated with freshclam. Lets start it:

{{Cmd|rc-service clamd start}}

Lets start it at boot:

{{Cmd|rc-update add clamd}}

{{Note|I have had memory issues with clamd on Alpine. I am still looking for an solution regarding this. For now I advise you to restart clamd with cron everyday.}}

'''UPDATE:''' See https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1028 this should be fixed in clamav 0.93.1

== Setting up the SMTP filter ==

Ok so now we got a mail daemon and a virus daemon installed and setup ready. Now we need the two daemons to talk to each other. The most popular tool to do so is amavisd-new but it is based on Perl and I don't like it because Perl can be a resource hog and I'm not planning to install it on my Alpine install. Another lighter C-based solution is Clamsmtp. It is a SMTP filter which listens for incoming connections and scans the emails with clamd and forwards it back again to the MTA. It doesn't come with a lot of features like amavisd-new does but its enough for me. Lets install it:

{{Cmd|apk add clamsmtp}}

Here is my clamsmtp.conf configuration file:

OutAddress: 127.0.0.1:10026
Listen: 127.0.0.1:10025
ClamAddress: /var/run/clamav/clamd.sock
TempDirectory: /tmp
Action: drop
Quarantine: on
User: clamav
VirusAction: /etc/postfix/scripts/virus_action.sh

Clamsmtp has support for a virus action script which will be run each time clamd returns a positive detection. I have included my virus action script here but it has not been tested enough so use it at your own risk! Make sure you set the correct permissions on the /etc/postfix/scripts/ directory because clamsmtp will run as user clamav. Monitor the log file in your /tmp directory.

[[virus_action.sh]]

{{Note|Here in our organization we are running Exchange 2003. Exchange has support for public folders which is a good way of storing the files we filter with Clamsmtp. Make sure you have proper permissions and size limitations for the public folder so it doesn't get to big and other people cannot access the folder, remember it will contain viruses!}}

Ok lets configure postfix for clamsmtp by editing our master.cf and adding the following lines to the end of the file:

# AV scan filter (used by content_filter)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
-o smtp_enforce_tls=no
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8

Lets start Clamsmtp:

{{Cmd|rc-service clamstmp start}}

And add it to our system start:

{{Cmd|rc-update add clamsmtp}}

If you are sure all your settings are correct we can uncomment the "content_filter" line in our main.cf which will enable Clamsmtp for Postfix and run:

{{Cmd|postfix reload}}

== Setting up the Greylisting Server ==

I have used greylisting for several months now and while it has it positive affects it also has its negative. One of the positive affects is that you will get almost no spam/virus emails into your system anymore but it will introduce a delay to a part of you email traffic. If your organization is big enough you will start to notice people complain about delayed emails, this is where Gross will jump in. It still uses greylisting but it will not do so for all hosts but only the ones that are matched to the specified DNSBL databases. If you want to find out more regarding gross please go to their website:

https://code.google.com/p/gross/

Lets install gross:

{{Cmd|apk add gross}}

Here is my grossd.conf file:

protocol = postfix
statefile = /var/db/gross/state
check = dnsbl
check = rhsbl
dnsbl = zen.spamhaus.org
dnsbl = list.dsbl.org
dnsbl = bl.spamcop.net
dnsbl = combined.njabl.org
dnsbl = cbl.abuseat.org
dnsbl = dnsbl.sorbs.net
rhsbl = rhsbl.sorbs.net

Lets start grossd:

{{Cmd|rc-service grossd start}}

{{Note| The init file for gross will automatically generate the grossd state file in the directory specified in its config file. Because we are running Alpine from memory the state file is not saved to disk so we need to add it to our backup with lbu_commit. The safest way to do this is the first stop grossd before committing the changes to our backup.}}

{{Cmd|lbu_include /var/db/gross/state}}

{{Cmd|rc-service grossd stop}}

{{Cmd|lbu_commit}}

{{Cmd|rc-service grossd start}}

Let's start it at boot:

{{Cmd|rc-update add grossd}}

Now we need to make Postfix use our greylisting service by uncommenting the "check_policy_service" line in our main.cf and run:

{{Cmd|postfix reload}}

== Setting up SaneSecurity & MSRBL extra definitions ==
Another good way of catching SPAM is Sanesecurity and MSRBL definitions. You can find more information regarding these definitions here:

https://www.sanesecurity.co.uk/

To use the following script you will need to install the following packages:

{{Cmd|apk add curl rsync}}

[[up_clam_ex.sh]]

Add this script to this /etc/postfix/scripts/ directory

And add this script to cron:
echo "37 03 * * * /etc/postfix/scripts/up_clam_ex.sh &> /dev/nul" >> /etc/crontabs/root

{{Note|Please adjust the time so not everybody runs it at the same time.}}

And make sure cron is running at boot:

{{Cmd|rc-update add cron}}

== Exchange 2003 & relay_recipient_maps ==
Postfix will process mail for every email address which are specified in "relay_domains". Because we want to prevent Postfix to process emails for destinations which do not exist, we add the relay_recipient_maps option to our main.cf file. I've already added it so it only needs to be uncommented. I have included a Visual Basic script here which will extract all valid email addresses of users and groups in exchange 2003 and put them in a text file inside the root of our IIS server. I've also included a script which will download this file and process it to a db which can be read by Postfix. Put the following file somewhere on your exchange server and make it run every so much time with a windows task:

[[export_receipts.vbs]]

Download the following file and move it to:

[[exchange_receipients.sh]]

/etc/postfix/scripts/

And change it's settings and add it to cron. I've setup a time 10 minutes after I run the vbs script on my exchange server:

echo "10,40 * * * * /etc/postfix/scripts/exchange_receipients.sh &> /dev/nul" >> /etc/crontabs/root

[[Category:Mail]]

Hosting Web/Email services on Alpine

2025-09-08T20:47:18Z

Chocolatine31: typo in a package name (clamsmtpd instead of clamsmtp)

{{Merge|Hosting services on Alpine}}

= Introduction =

This information was pulled from a few other pages on the Alpine Wiki website, see links, along with the websites for the particular packages. It is a suggestion/step by step instruction guide.

You might be wondering, why would anyone want to run Web and Email services off a Linux install that runs in ram? Good question. With Vservers we can run the host in Memory and do all sorts of things with the guests. Put the guests on DAS in the host machine or do raided iSCSI for the guest. This way if your disks start going bad or drop off entirely you most likely will be able to get at the data from a running system.

Guest OS here or
[Host Alpine Box] --------------------- [DAS]
| |
| |Guest OS here
| |
iSCSI iSCSI

== Web Services ==
There are many http servers out there. Alpine comes with a few different ones. For this guide we installed lighttpd.

apk update
apk add lighttpd openssl php

Most everything is already taken care of with lighttpd. Make sure to uncomment the ssl options
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server.pem"

rc-service lighttpd start
See below for generating the server.pem

Now you can start using lighttpd and start making your own website. Alpine come with phpBB and mediawiki if you want to use those. You may have to use a sql database. The place to put your pages is
/var/www/localhost/htdocs/
By default lighttpd uses symlinks and does so correctly. So you can just symlink to directories when your pages may be also
ln -s /home/user/htdocs /var/www/localhost/htdocs/user

===Generating the Server.pem===
For other services we are also going to be using ssl. An easy way to just start using it is generating your own self sign cert. Script and Configuration file taken from setup-webconf script on Alpine.

ssl.cnf
[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no
[ req_dn ]
OU=HTTPS server
CN=example.net
emailAddress=postmaster@example.net
[ cert_type ]
nsCertType = server

ssl.sh
#/bin/sh
openssl genrsa 512/1024 >server.pem
openssl req -new -key server.pem -days 365 -out request.pem
openssl genrsa 2048 > keyfile.pem
openssl req -new -x509 -nodes -sha1 -days 3650 -key keyfile.pem \
-config ssl.cnf > server.pem
cat keyfile.pem >> server.pem

If you use this to generate the ssl certs for other services you may just change the req_dn information.

==Mail Services==

Some of the information presented can be found here also. This though is for a email gateway.
[[Protecting your email server with Alpine]]

apk add postfix dovecot clamav clamsmtp gross

===Postfix===
Postfix has a few things that need to be added to its configuration so that it can send email through clamav and also so it will accept mail for domains and users.

====Main.cf====
vi /etc/postfix/main.cf
#/etc/postfix/main.cf
myhostname = mx.example.net
mydomain = example.net
relayhost = #blank will do dns lookups for destinations
home_maildir = Maildir/
smtpd_banner = $myhostname ESMTP #The way postfix answers.
transport_maps = hash:/etc/postfix/transport #Place to add how you want to route domains. See example below. Show how to host more than one domain.
local_transport = virtual
virtual_mailbox_domains = example.net, bobo.net #list of hosted domains
virtual_mailbox_base = /var/spool/vhosts
virtual_uid_maps = static:1004 # uid of user to be used to read/write mail
virtual_gid_maps = static:1004 # gid of user to be used to read/write mail
virtual_alias_maps = hash:/etc/postfix/valias #alias for each different hosted domain. See below.
virtual_mailbox_maps = hash:/etc/postfix/vmap #where and what mailbox to drop the mail to. See below.
smtpd_helo_required = yes
disable_vrfy_command = yes
content_filter = scan:[127.0.0.1]:10025 # clamscan to be configured later
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_sasl_authenticated,permit_mynetworks,reject_invalid_hostname, reject_non_fqdn_hostname,reject_non_fqdn_sender, reject_non_fqdn_recipient,reject_unknown_sender_domain, reject_unknown_recipient_domain,reject_unauth_destination, check_policy_service inet:127.0.0.1:5525,permit
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_tls_cert_file = /etc/ssl/postfix/server.pem
smtpd_tls_key_file = $smtpd_tls_cert_file

====Master.cf====
Settings in the master.cf for virus/spam scanning. Add these to the end of the file. Similar to those found [[Protecting your email server with Alpine]].

scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
-o smtp_enforce_tsl=no
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_host=127.0.0.1/8

====Valias====
#etc/postfix/valias
postmaster@example.net user1@example.net
hostmaster@example.net user2@example.net
hostmaster@bobo.net user1@example.net
postmaster@bobo.net user2@bobo.net

====Vmap====
#/etc/postfix/vmap
user1@example.net example.net/user1
user2@example.net example.net/user2
@example.net example.net/catchall #everyone else doesn't match rule above

====Transport====
#/etc/postfix/transport
example.net virtual:
bobo.net virtual:
foo.net smtp:1.2.3.4 #send foo.net through this smtp server
* : #everything else go through relayhost rule

Once these files are created you will need to make them into .db files
postmap valias
postmap transport
postmap vmap

===Dovecot===
Dovecot on Alpine will only do imap and imaps services for now.

Most of dovecot is configured already for imap. You may have to gen the key as shown above. Just change the cnf file a little to say something about mail.domainname.

ssl_cert_file = /etc/ssl/dovecot/server.pem
ssl_key_file = /etc/ssl/dovecot/keyfile.pem
mail_location = maildir:/var/spool/vhosts/&d/%n
valid_chroot_dirs = /var/spool/vhosts
passdb passwd-file {
args = /etc/dovecot/passwd
}
userdb passwd-file {
args = /etc/dovecot/users
}
#section for postfix sasl auth
socket listen {
client {
path = /var/spool/postfix/private/auth
user = postfix
group = postfix
mode = 0660
}
}

To generate the passwords you can use the dovecotpw command.
dovecotpw -s MD5-CRYPT

The hash below can be used for the password test123

The /etc/dovecot/passwd file should look like this:
user1@example.net:$1$tz5sbjAD$Wq9.NkSyNo/oElzFgI68.0
user2@example.net:$1$tz5sbjAD$Wq9.NkSyNo/oElzFgI68.0

THe /etc/dovecot/userdb file should look like this:
user1@example.net::1004:1004::/var/spool/vhosts/example.net/:/bin/false::
user2@example.net::1004:1004::/var/spool/vhosts/example.net/:/bin/false::
user@domain::uid : gid of found in virtual_uid_maps::location of maildir:shell::

===Clamsmtpd===
Configure according to instructions [[Protecting your email server with Alpine]]

===Gross===
Configure according to instructions [[Protecting your email server with Alpine]]

===Final Steps ===
Start the services and make sure to rc-update them
rc-service postfix start
rc-update add postfix default

[[Category:Server]]
[[Category:Mail]]

Hosting Web/Email services on Alpine

2025-09-08T20:39:41Z

Chocolatine31: Update some 'apk' and 'rc-update' command to match their current state (wasn't updated since 2008)

{{Merge|Hosting services on Alpine}}

= Introduction =

This information was pulled from a few other pages on the Alpine Wiki website, see links, along with the websites for the particular packages. It is a suggestion/step by step instruction guide.

You might be wondering, why would anyone want to run Web and Email services off a Linux install that runs in ram? Good question. With Vservers we can run the host in Memory and do all sorts of things with the guests. Put the guests on DAS in the host machine or do raided iSCSI for the guest. This way if your disks start going bad or drop off entirely you most likely will be able to get at the data from a running system.

Guest OS here or
[Host Alpine Box] --------------------- [DAS]
| |
| |Guest OS here
| |
iSCSI iSCSI

== Web Services ==
There are many http servers out there. Alpine comes with a few different ones. For this guide we installed lighttpd.

apk update
apk add lighttpd openssl php

Most everything is already taken care of with lighttpd. Make sure to uncomment the ssl options
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server.pem"

rc-service lighttpd start
See below for generating the server.pem

Now you can start using lighttpd and start making your own website. Alpine come with phpBB and mediawiki if you want to use those. You may have to use a sql database. The place to put your pages is
/var/www/localhost/htdocs/
By default lighttpd uses symlinks and does so correctly. So you can just symlink to directories when your pages may be also
ln -s /home/user/htdocs /var/www/localhost/htdocs/user

===Generating the Server.pem===
For other services we are also going to be using ssl. An easy way to just start using it is generating your own self sign cert. Script and Configuration file taken from setup-webconf script on Alpine.

ssl.cnf
[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no
[ req_dn ]
OU=HTTPS server
CN=example.net
emailAddress=postmaster@example.net
[ cert_type ]
nsCertType = server

ssl.sh
#/bin/sh
openssl genrsa 512/1024 >server.pem
openssl req -new -key server.pem -days 365 -out request.pem
openssl genrsa 2048 > keyfile.pem
openssl req -new -x509 -nodes -sha1 -days 3650 -key keyfile.pem \
-config ssl.cnf > server.pem
cat keyfile.pem >> server.pem

If you use this to generate the ssl certs for other services you may just change the req_dn information.

==Mail Services==

Some of the information presented can be found here also. This though is for a email gateway.
[[Protecting your email server with Alpine]]

apk add postfix dovecot clamav clamsmtpd gross

===Postfix===
Postfix has a few things that need to be added to its configuration so that it can send email through clamav and also so it will accept mail for domains and users.

====Main.cf====
vi /etc/postfix/main.cf
#/etc/postfix/main.cf
myhostname = mx.example.net
mydomain = example.net
relayhost = #blank will do dns lookups for destinations
home_maildir = Maildir/
smtpd_banner = $myhostname ESMTP #The way postfix answers.
transport_maps = hash:/etc/postfix/transport #Place to add how you want to route domains. See example below. Show how to host more than one domain.
local_transport = virtual
virtual_mailbox_domains = example.net, bobo.net #list of hosted domains
virtual_mailbox_base = /var/spool/vhosts
virtual_uid_maps = static:1004 # uid of user to be used to read/write mail
virtual_gid_maps = static:1004 # gid of user to be used to read/write mail
virtual_alias_maps = hash:/etc/postfix/valias #alias for each different hosted domain. See below.
virtual_mailbox_maps = hash:/etc/postfix/vmap #where and what mailbox to drop the mail to. See below.
smtpd_helo_required = yes
disable_vrfy_command = yes
content_filter = scan:[127.0.0.1]:10025 # clamscan to be configured later
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_sasl_authenticated,permit_mynetworks,reject_invalid_hostname, reject_non_fqdn_hostname,reject_non_fqdn_sender, reject_non_fqdn_recipient,reject_unknown_sender_domain, reject_unknown_recipient_domain,reject_unauth_destination, check_policy_service inet:127.0.0.1:5525,permit
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_tls_cert_file = /etc/ssl/postfix/server.pem
smtpd_tls_key_file = $smtpd_tls_cert_file

====Master.cf====
Settings in the master.cf for virus/spam scanning. Add these to the end of the file. Similar to those found [[Protecting your email server with Alpine]].

scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
-o smtp_enforce_tsl=no
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_host=127.0.0.1/8

====Valias====
#etc/postfix/valias
postmaster@example.net user1@example.net
hostmaster@example.net user2@example.net
hostmaster@bobo.net user1@example.net
postmaster@bobo.net user2@bobo.net

====Vmap====
#/etc/postfix/vmap
user1@example.net example.net/user1
user2@example.net example.net/user2
@example.net example.net/catchall #everyone else doesn't match rule above

====Transport====
#/etc/postfix/transport
example.net virtual:
bobo.net virtual:
foo.net smtp:1.2.3.4 #send foo.net through this smtp server
* : #everything else go through relayhost rule

Once these files are created you will need to make them into .db files
postmap valias
postmap transport
postmap vmap

===Dovecot===
Dovecot on Alpine will only do imap and imaps services for now.

Most of dovecot is configured already for imap. You may have to gen the key as shown above. Just change the cnf file a little to say something about mail.domainname.

ssl_cert_file = /etc/ssl/dovecot/server.pem
ssl_key_file = /etc/ssl/dovecot/keyfile.pem
mail_location = maildir:/var/spool/vhosts/&d/%n
valid_chroot_dirs = /var/spool/vhosts
passdb passwd-file {
args = /etc/dovecot/passwd
}
userdb passwd-file {
args = /etc/dovecot/users
}
#section for postfix sasl auth
socket listen {
client {
path = /var/spool/postfix/private/auth
user = postfix
group = postfix
mode = 0660
}
}

To generate the passwords you can use the dovecotpw command.
dovecotpw -s MD5-CRYPT

The hash below can be used for the password test123

The /etc/dovecot/passwd file should look like this:
user1@example.net:$1$tz5sbjAD$Wq9.NkSyNo/oElzFgI68.0
user2@example.net:$1$tz5sbjAD$Wq9.NkSyNo/oElzFgI68.0

THe /etc/dovecot/userdb file should look like this:
user1@example.net::1004:1004::/var/spool/vhosts/example.net/:/bin/false::
user2@example.net::1004:1004::/var/spool/vhosts/example.net/:/bin/false::
user@domain::uid : gid of found in virtual_uid_maps::location of maildir:shell::

===Clamsmtpd===
Configure according to instructions [[Protecting your email server with Alpine]]

===Gross===
Configure according to instructions [[Protecting your email server with Alpine]]

===Final Steps ===
Start the services and make sure to rc-update them
rc-service postfix start
rc-update add postfix default

[[Category:Server]]
[[Category:Mail]]

MariaDB

2025-08-20T22:04:52Z

Chocolatine31: Updated names from mysql-named scripts to mariadb-named scripts, since the former will be deprecated in the future.

[https://mariadb.org/ MariaDB] is a community-developed fork of the MySQL relational database management system intended to remain free under the GNU GPL. It is notable for being led by the original developers of MySQL, who forked it due to concerns over its acquisition by Oracle.

== Installation ==

The Alpine Linux repositories no longer include the actual MySQL binaries, installing the <code>mysql-*</code> packages will instead install MariaDB.

Installing <code>mariadb</code> will create the user <code>mysql</code>. When the database is initialized, two users will be added to the database: <code>root</code> and <code>mysql</code>. By default these users will only be accessible if you are logged in as the corresponding system user.

{{Cmd|apk add {{pkg|mariadb|arch=}} {{pkg|mariadb-client|arch=}}}}

Installing the above packages will add the main components of MariaDB to the system: <code>mariadb-cient</code> and <code>mariadb-server</code>. Other available packages are described in the table below, and are listed in order of relevance for a production server.

{| class="wikitable"
|-
! MySQL name package !! Since Alpine: !! Brief usage !! Related package
|-
| {{Pkg|mysql}} || v2 || a transitional package that installs mariadb || mariadb
|-
| {{Pkg|mysql-client}} || v2 || a transitional package that installs the mariadb client tools || mariadb-client
|-
| {{Pkg|mariadb}} || v2 || server equivalent to mysql-server || mariadb-common
|-
| {{Pkg|mariadb-client}} || v2 || connection command line and tools || mariadb-common
|-
| {{Pkg|mariadb-doc}} || v3.0 || manpages for mariadb || man man-pages
|-
| {{Pkg|mariadb-connector-odbc}} || edge || coding or making OS level connections, to any DB without libs install || .
|-
| {{Pkg|mariadb-connector-c}} || v3.8 || coding connection on C sources || mariadb-connector-c-dev
|-
| {{Pkg|mariadb-backup}} || v3.8 || tool for physical online backups, no longer widely used || .
|-
| {{Pkg|mariadb-server-utils}} || v3.8 || server commands not widely used, in past was inside MariaDB package || .
|-
| {{Pkg|mariadb-dev}} || v3.1 || development files for MariaDB || .
|-
| {{Pkg|mariadb-test}} || v3.3 || testing suite from MariaDB tools || .
|-
| {{Pkg|mariadb-mytop}} || v3.9 || data performance monitoring || .
|-
| {{Pkg|mariadb-plugin-rocksdb}} || v3.9 || plain key-value event relational for data || .
|-
| {{Pkg|mariadb-static}} || v3.8 || static libs for static non depends linking in builds || .
|-
| {{Pkg|mariadb-embedded}} || v3.9 || the libmysqld identical interface as the C client || mariadb-embedded-dev
|-
| {{Pkg|mariadb-embedded-dev}} || v3.9 || use the normal mysql.h and link with libmysqld instead of libmysqlclient || mariadb-dev
|-
| {{Pkg|mariadb-openrc}} || v3.8 || separate scripts, in past was embebed on server package || .
|}

== Initialization ==

The version of MariaDB in the Alpine repositories behave like the MySQL tarball. No graphical tools are included.

The ''datadir'' located at {{Path|/var/lib/mysql}} must be owned by the mysql user and group. The location of the ''datadir'' can be changed by editing the <code>mariadb</code> service file in {{Path|/etc/init.d}}. The new location will also need to be set by adding <code><nowiki>datadir=<YOUR_DATADIR></nowiki></code> in the <code>[mysqld]</code> section in a mariadb configuration file.

Normal initialization of mariadb can be done as follows:

# Initialize MySQL Data Directory. <code>mariadb-install-db --user=mysql --datadir=/var/lib/mysql</code>
# Start the main service. At this point there will be no root password set. <code>rc-service mariadb start</code>
# Secure the database by running <code>mariadb-secure-installation</code>
# Setup permissions for managing others users and databases see: '''[[#Configuration|Configuration]]'''
# Add MariaDb to OpenRC. <code>rc-update add mariadb default</code>

== Configuration ==

In order to help with the basic configuration of the database engine, MariaDB provides [https://mariadb.com/kb/en/mariadb-secure-installation/ mariadb-secure-installation].

Many of the reasons for running this script are no longer necessary, since MariaDB has defaulted to Unix socket authentication since MariaDB 10.4.

This script walks you through the basics of securing the database. The options are explained below.

# '''Enter current password for root (enter for none):''' If you have previously set up a root password, provide it here and press enter. If not, just press enter.
# '''Switch to unix_socket authentication [Y/n]''' Setting the root password or using the Unix_socket ensures that only admins can log into engine database. For non-production servers just press "n" to setup a root password, which will give you the response <code>... skipping.</code>
# '''Change the root password? [Y/n]''' Here you can change the root password, or set one if needed. Press "Y" and enter the new password.
# '''Remove anonymous users? [Y/n]''' Remove anonymous users created to log in using socket authentication. Unless you're sure you need this, answer "Y" to remove them.
# '''Disallow root login remotely? [Y/n]''' Normally, root should only be allowed to connect from 'localhost' in order to protect from password sniffing attempts over the network. Answer "Y".
# '''Remove test database and access to it? [Y/n]''' By default, MariaDB comes with a database named 'test' that anyone can access. If this is not needed, answer "Y".
# '''Reload privilege tables now? [Y/n]''' Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Answer "Y".

After the script exits, restart the service with <code>rc-service mariadb restart</code>

To start the database daemon on every boot, run <code>rc-update add mariadb default</code>

=== Configuration files and customization ===

Rather than being stored in {{Path|my.cnf}}, configuration settings for MariaDB are now organized in separate files. The primary configuration is done by adding files to {{Path|/etc/my.cnf.d/}}. User-specific configuration files are stored in {{Path|~/.my.cnf}}. User-specific configuration files are loaded after the system-wide configuration. The locations of the various configuration files are listed below.

{| class="wikitable"
|-
! Config file !! Versions of Alpine !! Contents to configure
|-
| {{Path|/etc/mysql/my.cnf}} || v2 to v3.8 || All the directives, global config file
|-
| {{Path|/etc/my.cnf.d/mariadb-server.cnf}} || since 3.9 || First global config file, main directives
|-
| {{path|$HOME/.my.cnf}} || all || user name only config directives
|}

As previously mentioned, this page describes basic usage of MariaDB. For professional usage, [[MySQL]] should also be referenced.

* The following command will configure the server to accept all incoming connections. This should only be done for development, or if the database is not exposed to the Internet or a sensitive network.

{{Cmd|<nowiki>sed -i "s|.*bind-address\s*=.*|bind-address=0.0.0.0|g" /etc/mysql/my.cnf
sed -i "s|.*bind-address\s*=.*|bind-address=0.0.0.0|g" /etc/my.cnf.d/mariadb-server.cnf
</nowiki>}}

* For simple installations, disabling hostname search can improve performance, but is only useful for local servers.

{{Cmd|<nowiki>sed -i "s|.*skip-networking.*|skip-networking|g" /etc/mysql/my.cnf
sed -i "s|.*skip-networking.*|skip-networking|g" /etc/my.cnf.d/mariadb-server.cnf
</nowiki>}}

== Updating or coming from upgrading ==

When upgrading between Alpine Linux releases, MariaDB may also have a major version change, and the databases should be upgraded to match. The recommended steps in this process are detailed below.

# While it may no longer be strictly necessary, it's useful to backup your databases before upgrading the database version.
# Update Alpine Linux and the MariaDB/MySQL packages.
# Install mariadb-server-utils by running <code>apk add {{pkg|mariadb-server-utils|arch=}}</code>.
# Run <code>mysql_upgrade -u root -p</code> script, and provide the password for the root database user.
# Restart the service by running <code>rc-service mariadb restart</code>.

If <code>mysql_upgrade</code> fails because MySQL cannot start, try running MySQL in safemode with <code>mysqld_safe --datadir=/var/lib/mysql/</code>, and then run <code>mysql_upgrade -u root -p</code> again.

= Create a user =
You may want to create a user with remote access to the database.

Open mariadb Client: <code>mariadb</code>

add the user with associated host and password: <code> CREATE OR REPLACE USER admin@'%' IDENTIFIED BY 'ASecurePassword';</code>

''NB: @'%' allow connection from any host''

This is insufficient to allow remote access. See [https://mariadb.com/kb/en/configuring-mariadb-for-remote-client-access/ Configuring MariaDB for Remote Client Access].

= See Also =

* [[MySQL]]
* [[Production LAMP system: Lighttpd + PHP + MySQL]]

[[Category:Server]]
[[Category:Database]]
[[Category:Development]]
[[Category:Security]]
[[Category:Production]]