Hosting Web/Email services on Alpine: Difference between revisions

From Alpine Linux
(replace /etc/init.d with rc-service)
 
(5 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{Merge|Hosting services on Alpine}}
= Introduction =
= Introduction =


Line 6: Line 8:
    
    
                     Guest OS here or
                     Guest OS here or
[Host Alpine Box] --------------------- [DAS]
[Host Alpine Box] --------------------- [DAS]
     |    |
     |    |
     |    |Guest OS here
     |    |Guest OS here
     |    |
     |    |
   iSCSI  iSCSI  
   iSCSI  iSCSI  
=== Vserver ===
A great install doc can be found here. [[Setting up a basic vserver]]
Notes have been added to use guest OS other than Alpine. Take care to make sure that the /tmp directory is not being found in fstab for the vserver.
Also remember that you will have to do all Firewall configuration from the Host machine.
If you are running different versions of alpine or don't want to mess with getting the vserver to use a package stored on the Disk just point your apks to somewhere else.
vi /etc/apk/apk.conf
  APK_PATH=http://dev.alpinelinux.org/alpine/v1.7/apks


== Web Services ==
== Web Services ==
Line 34: Line 24:
  ssl.pemfile = "/etc/lighttpd/server.pem"
  ssl.pemfile = "/etc/lighttpd/server.pem"


  /etc/init.d/lighttpd start
  rc-service lighttpd start
See below for generating the server.pem
See below for generating the server.pem


Line 45: Line 35:
For other services we are also going to be using ssl. An easy way to just start using it is generating your own self sign cert. Script and Configuration file taken from setup-webconf script on Alpine.
For other services we are also going to be using ssl. An easy way to just start using it is generating your own self sign cert. Script and Configuration file taken from setup-webconf script on Alpine.


ssl.cnf
ssl.cnf
  [ req ]
  [ req ]
  default_bits = 1024
  default_bits = 1024
Line 52: Line 42:
  x509_extensions = cert_type
  x509_extensions = cert_type
  prompt = no
  prompt = no
  [ req_dn ]
  [ req_dn ]
  OU=HTTPS server
  OU=HTTPS server
  CN=example.net
  CN=example.net
  emailAddress=postmaster@example.net
  emailAddress=postmaster@example.net
  [ cert_type ]
  [ cert_type ]
  nsCertType = server
  nsCertType = server


ssl.sh
ssl.sh
  #/bin/sh
  #/bin/sh
  openssl genrsa 512/1024 >server.pem
  openssl genrsa 512/1024 >server.pem
  openssl req -new -key server.pem -days 365 -out request.pem
  openssl req -new -key server.pem -days 365 -out request.pem
  openssl genrsa 2048 > keyfile.pem
  openssl genrsa 2048 > keyfile.pem
  openssl req -new -x509 -nodes -sha1 -days 3650 -key keyfile.pem \
  openssl req -new -x509 -nodes -sha1 -days 3650 -key keyfile.pem \
  -config ssl.cnf > server.pem
  -config ssl.cnf > server.pem
Line 88: Line 72:


====Main.cf====
====Main.cf====
vi /etc/postfix/main.cf
vi /etc/postfix/main.cf
  #/etc/postfix/main.cf
  #/etc/postfix/main.cf
  myhostname = mx.example.net
  myhostname = mx.example.net
Line 106: Line 90:
  disable_vrfy_command = yes
  disable_vrfy_command = yes
  content_filter = scan:[127.0.0.1]:10025 # clamscan to be configured later
  content_filter = scan:[127.0.0.1]:10025 # clamscan to be configured later
  smtpd_recipient_restrictions = reject_unauth_pipelining, permit_sasl_authenticated,permit_mynetworks,reject_invalid_hostname, reject_non_fqdn_hostname,reject_non_fqdn_sender, reject_non_fqdn_recipient,reject_unknown_sender_domain, reject_unknown_recipient_domain,reject_unauth_destination,
  smtpd_recipient_restrictions = reject_unauth_pipelining, permit_sasl_authenticated,permit_mynetworks,reject_invalid_hostname, reject_non_fqdn_hostname,reject_non_fqdn_sender, reject_non_fqdn_recipient,reject_unknown_sender_domain, reject_unknown_recipient_domain,reject_unauth_destination, check_policy_service inet:127.0.0.1:5525,permit
check_policy_service inet:127.0.0.1:5525,permit
  smtpd_data_restrictions = reject_unauth_pipelining, permit
  smtpd_data_restrictions = reject_unauth_pipelining, permit
  smtpd_sasl_auth_enable = yes
  smtpd_sasl_auth_enable = yes
Line 113: Line 96:
  smtpd_sasl_type = dovecot
  smtpd_sasl_type = dovecot
  smtpd_sasl_path = private/auth
  smtpd_sasl_path = private/auth
  smtpd_tls_cert_file = /etc/ssl/postfix/server.pem
  smtpd_tls_cert_file = /etc/ssl/postfix/server.pem
  smtpd_tls_key_file = $smtpd_tls_cert_file
  smtpd_tls_key_file = $smtpd_tls_cert_file
Line 166: Line 148:
   
   
  ssl_cert_file = /etc/ssl/dovecot/server.pem
  ssl_cert_file = /etc/ssl/dovecot/server.pem
  ssl_cert_file = /etc/ssl/dovecot/key.pem
  ssl_key_file = /etc/ssl/dovecot/keyfile.pem
 
  mail_location = maildir:/var/spool/vhosts/&d/%n
  mail_location = maildir:/var/spool/vhosts/&d/%n
  valid_chroot_dirs = /var/spool/vhosts
  valid_chroot_dirs = /var/spool/vhosts
Line 208: Line 189:
===Final Steps ===
===Final Steps ===
Start the services and make sure to rc_add them
Start the services and make sure to rc_add them
  /etc/init.d/postfix start
  rc-service postfix start
  rc_add -k postfix
  rc_add -k postfix
[[Category:Server]]
[[Category:Mail]]

Latest revision as of 10:06, 17 November 2023

This material is proposed for merging ...

It should be merged with Hosting services on Alpine. (Discuss)

Introduction

This information was pulled from a few other pages on the Alpine Wiki website, see links, along with the websites for the particular packages. It is a suggestion/step by step instruction guide.

You might be wondering, why would anyone want to run Web and Email services off a Linux install that runs in ram? Good question. With Vservers we can run the host in Memory and do all sorts of things with the guests. Put the guests on DAS in the host machine or do raided iSCSI for the guest. This way if your disks start going bad or drop off entirely you most likely will be able to get at the data from a running system.

                    Guest OS here or
[Host Alpine Box] --------------------- [DAS]
    |    |
    |    |Guest OS here
    |    |
  iSCSI  iSCSI 

Web Services

There are many http servers out there. Alpine comes with a few different ones. For this guide we installed lighttpd.

apk_fetch -u
apk_get install lighttpd openssl php

Most everything is already taken care of with lighttpd. Make sure to uncomment the ssl options

ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server.pem"
rc-service lighttpd start

See below for generating the server.pem

Now you can start using lighttpd and start making your own website. Alpine come with phpBB and mediawiki if you want to use those. You may have to use a sql database. The place to put your pages is

/var/www/localhost/htdocs/

By default lighttpd uses symlinks and does so correctly. So you can just symlink to directories when your pages may be also

ln -s /home/user/htdocs /var/www/localhost/htdocs/user

Generating the Server.pem

For other services we are also going to be using ssl. An easy way to just start using it is generating your own self sign cert. Script and Configuration file taken from setup-webconf script on Alpine.

ssl.cnf

[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no
[ req_dn ]
OU=HTTPS server
CN=example.net
emailAddress=postmaster@example.net
[ cert_type ]
nsCertType = server

ssl.sh

#/bin/sh
openssl genrsa 512/1024 >server.pem
openssl req -new -key server.pem -days 365 -out request.pem
openssl genrsa 2048 > keyfile.pem
openssl req -new -x509 -nodes -sha1 -days 3650 -key keyfile.pem \
-config ssl.cnf > server.pem
cat keyfile.pem >> server.pem

If you use this to generate the ssl certs for other services you may just change the req_dn information.

Mail Services

Some of the information presented can be found here also. This though is for a email gateway. Protecting your email server with Alpine


apk_get install postfix dovecot clamav clamsmtpd gross

Postfix

Postfix has a few things that need to be added to its configuration so that it can send email through clamav and also so it will accept mail for domains and users.

Main.cf

vi /etc/postfix/main.cf

#/etc/postfix/main.cf
myhostname = mx.example.net
mydomain = example.net
relayhost = #blank will do dns lookups for destinations
home_maildir = Maildir/
smtpd_banner = $myhostname ESMTP #The way postfix answers. 
transport_maps = hash:/etc/postfix/transport #Place to add how you want to route domains. See example below. Show how to host more than one domain.
local_transport = virtual
virtual_mailbox_domains = example.net, bobo.net #list of hosted domains
virtual_mailbox_base = /var/spool/vhosts
virtual_uid_maps = static:1004 # uid of user to be used to read/write mail  
virtual_gid_maps = static:1004 # gid of user to be used to read/write mail 
virtual_alias_maps = hash:/etc/postfix/valias #alias for each different hosted domain. See below.
virtual_mailbox_maps = hash:/etc/postfix/vmap #where and what mailbox to drop the mail to. See below.
smtpd_helo_required = yes
disable_vrfy_command = yes
content_filter = scan:[127.0.0.1]:10025 # clamscan to be configured later
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_sasl_authenticated,permit_mynetworks,reject_invalid_hostname, reject_non_fqdn_hostname,reject_non_fqdn_sender, reject_non_fqdn_recipient,reject_unknown_sender_domain, reject_unknown_recipient_domain,reject_unauth_destination, check_policy_service inet:127.0.0.1:5525,permit
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_tls_cert_file = /etc/ssl/postfix/server.pem
smtpd_tls_key_file = $smtpd_tls_cert_file


Master.cf

Settings in the master.cf for virus/spam scanning. Add these to the end of the file. Similar to those found Protecting your email server with Alpine.

scan    unix    -       -       n       -       16      smtp
       -o smtp_send_xforward_command=yes
       -o smtp_enforce_tsl=no
127.0.0.1:10026 inet    n       -       n       -       16      smtpd
       -o content_filter=
       -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
       -o smtpd_helo_restrictions=
       -o smtpd_client_restrictions=
       -o smtpd_sender_restrictions=
       -o smtpd_recipient_restrictions=permit_mynetworks,reject
       -o mynetworks_style=host
       -o smtpd_authorized_xforward_host=127.0.0.1/8


Valias

#etc/postfix/valias
postmaster@example.net user1@example.net
hostmaster@example.net user2@example.net
hostmaster@bobo.net    user1@example.net
postmaster@bobo.net    user2@bobo.net

Vmap

#/etc/postfix/vmap
user1@example.net      example.net/user1
user2@example.net      example.net/user2
@example.net           example.net/catchall #everyone else doesn't match rule above

Transport

#/etc/postfix/transport
example.net      virtual:
bobo.net         virtual:
foo.net          smtp:1.2.3.4 #send foo.net through this smtp server
*                :   #everything else go through relayhost rule

Once these files are created you will need to make them into .db files

postmap valias
postmap transport
postmap vmap

Dovecot

Dovecot on Alpine will only do imap and imaps services for now.

Most of dovecot is configured already for imap. You may have to gen the key as shown above. Just change the cnf file a little to say something about mail.domainname.

ssl_cert_file = /etc/ssl/dovecot/server.pem
ssl_key_file = /etc/ssl/dovecot/keyfile.pem
mail_location = maildir:/var/spool/vhosts/&d/%n
valid_chroot_dirs = /var/spool/vhosts
passdb passwd-file {
args = /etc/dovecot/passwd
}
userdb passwd-file {
args = /etc/dovecot/users
}
#section for postfix sasl auth
socket listen {
client {
path = /var/spool/postfix/private/auth
user = postfix
group = postfix 
mode = 0660
 }
}

To generate the passwords you can use the dovecotpw command.

dovecotpw -s MD5-CRYPT 

The hash below can be used for the password test123

The /etc/dovecot/passwd file should look like this:

user1@example.net:$1$tz5sbjAD$Wq9.NkSyNo/oElzFgI68.0
user2@example.net:$1$tz5sbjAD$Wq9.NkSyNo/oElzFgI68.0

THe /etc/dovecot/userdb file should look like this:

user1@example.net::1004:1004::/var/spool/vhosts/example.net/:/bin/false::
user2@example.net::1004:1004::/var/spool/vhosts/example.net/:/bin/false::
user@domain::uid : gid of found in virtual_uid_maps::location of maildir:shell::

Clamsmtpd

Configure according to instructions Protecting your email server with Alpine

Gross

Configure according to instructions Protecting your email server with Alpine

Final Steps

Start the services and make sure to rc_add them

rc-service postfix start
rc_add -k postfix