Hosting Web/Email services on Alpine: Difference between revisions
(New page: == Introduction == This information was pulled from a few other helps on the Alpine Wiki website along with the websites for the particular packages.) |
|||
| Line 1: | Line 1: | ||
= Introduction = | |||
This information was pulled from a few other | This information was pulled from a few other pages on the Alpine Wiki website, see links, along with the websites for the particular packages. It is a suggestion/step by step instruction guide. | ||
You might be wondering, why would anyone want to run Web and Email services off a Linux install that runs in ram? Good question. With Vservers we can run the host in Memory and do all sorts of things with the guests. Put the guests on DAS in the host machine or do raided iSCSI for the guest. This way if your disks start going bad or drop off entirely you most likely will be able to get at the data from a running system. | |||
Guest OS here or | |||
[Host Alpine Box] --------------------- [DAS] | |||
| | | |||
| |Guest OS here | |||
| | | |||
iSCSI iSCSI | |||
=== Vserver === | |||
A great install doc can be found here. [[Setting up a basic vserver]] | |||
Notes have been added to use guest OS other than Alpine. Take care to make sure that the /tmp directory is not being found in fstab for the vserver. | |||
Also remember that you will have to do all Firewall configuration from the Host machine. | |||
If you are running different versions of alpine or don't want to mess with getting the vserver to use a package stored on the Disk just point your apks to somewhere else. | |||
vi /etc/apk/apk.conf | |||
APK_PATH=http://dev.alpinelinux.org/alpine/v1.7/apks | |||
== Web Services == | |||
There are many http servers out there. Alpine comes with a few different ones. We will be using lighttpd. | |||
apk_fetch -u | |||
apk_get install lighttpd openssl php | |||
Most everything is already taken care of with lighttpd. Make sure to uncomment the ssl options | |||
ssl.engine = "enable" | |||
ssl.pemfile = "/etc/lighttpd/server.pem" | |||
/etc/init.d/lighttpd start | |||
See below for generating the server.pem | |||
Now you can start using lighttpd and start making your own website. Alpine come with phpBB and mediawiki if you want to use those. You may have to use a sql database. | |||
===Generating the Server.pem=== | |||
For other services we are also going to be using ssl. An easy way to just start using it is generating your own self sign cert. Script and Configuration file taken from setup-webconf script on Alpine. | |||
ssl.cnf | |||
[ req ] | |||
default_bits = 1024 | |||
encrypt_key = yes | |||
distinguished_name = req_dn | |||
x509_extensions = cert_type | |||
prompt = no | |||
[ req_dn ] | |||
OU=HTTPS server | |||
CN=example.net | |||
emailAddress=postmaster@example.net | |||
[ cert_type ] | |||
nsCertType = server | |||
ssl.sh | |||
#/bin/sh | |||
openssl genrsa 512/1024 >server.pem | |||
openssl req -new -key server.pem -days 365 -out request.pem | |||
openssl genrsa 2048 > keyfile.pem | |||
openssl req -new -x509 -nodes -sha1 -days 3650 -key keyfile.pem \ | |||
-config ssl.cnf > server.pem | |||
cat keyfile.pem >> server.pem | |||
If you use this to generate the ssl certs for other services you may just change the req_dn information. | |||
==Mail Services== | |||
Some of the information presented can be found here also. This though is for a email gateway. | |||
[[Protecting your email server with Alpine]] | |||
apk_get install postfix dovecot clamav clamsmtpd gross | |||
===Postfix=== | |||
Postfix has a few things that need to be added to its configuration so that it can send email through clamav and also so it will accept mail for domains and users. | |||
====Main.cf==== | |||
vi /etc/postfix/main.cf | |||
#/etc/postfix/main.cf | |||
myhostname = mx.example.net | |||
mydomain = example.net | |||
relayhost = #blank will do dns lookups for destinations | |||
home_maildir = Maildir/ | |||
smtpd_banner = $myhostname ESMTP #The way postfix answers. | |||
transport_maps = hash:/etc/postfix/transport #Place to add how you want to route domains. See example below. Show how to host more than one domain. | |||
local_transport = virtual | |||
virtual_mailbox_domains = example.net, bobo.net #list of hosted domains | |||
virtual_mailbox_base = /var/spool/vhosts | |||
virtual_uid_maps = static:1004 # uid of user to be used to read/write mail | |||
virtual_gid_maps = static:1004 # gid of user to be used to read/write mail | |||
virtual_alias_maps = hash:/etc/postfix/valias #alias for each different hosted domain. See below. | |||
virtual_mailbox_maps = hash:/etc/postfix/vmap #where and what mailbox to drop the mail to. See below. | |||
smtpd_helo_required = yes | |||
disable_vrfy_command = yes | |||
content_filter = scan:[127.0.0.1]:10025 # clamscan to be configured later | |||
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_sasl_authenticated,permit_mynetworks,reject_invalid_hostname, reject_non_fqdn_hostname,reject_non_fqdn_sender, reject_non_fqdn_recipient,reject_unknown_sender_domain, reject_unknown_recipient_domain,reject_unauth_destination, | |||
check_policy_service inet:127.0.0.1:5525,permit | |||
smtpd_data_restrictions = reject_unauth_pipelining, permit | |||
smtpd_sasl_auth_enable = yes | |||
broken_sasl_auth_clients = yes | |||
smtpd_sasl_type = dovecot | |||
smtpd_sasl_path = private/auth | |||
smtpd_tls_cert_file = /etc/ssl/postfix/server.pem | |||
smtpd_tls_key_file = $smtpd_tls_cert_file | |||
====Master.cf==== | |||
Settings in the master.cf for virus/spam scanning. Add these to the end of the file. Similar to those found [[Protecting your email server with Alpine]]. | |||
scan unix - - n - 16 smtp | |||
-o smtp_send_xforward_command=yes | |||
-o smtp_enforce_tsl=no | |||
127.0.0.1:10026 inet n - n - 16 smtpd | |||
-o content_filter= | |||
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks | |||
-o smtpd_helo_restrictions= | |||
-o smtpd_client_restrictions= | |||
-o smtpd_sender_restrictions= | |||
-o smtpd_recipient_restrictions=permit_mynetworks,reject | |||
-o mynetworks_style=host | |||
-o smtpd_authorized_xforward_host=127.0.0.1/8 | |||
====Valias==== | |||
#etc/postfix/valias | |||
postmaster@example.net user1@example.net | |||
hostmaster@example.net user2@example.net | |||
hostmaster@bobo.net user1@example.net | |||
postmaster@bobo.net user2@bobo.net | |||
====Vmap==== | |||
#/etc/postfix/vmap | |||
user1@example.net example.net/user1 | |||
user2@example.net example.net/user2 | |||
@example.net example.net/catchall #everyone else doesn't match rule above | |||
====Transport==== | |||
#/etc/postfix/transport | |||
example.net virtual: | |||
bobo.net virtual: | |||
foo.net smtp:1.2.3.4 #send foo.net through this smtp server | |||
* : #everything else go through relayhost rule | |||
Once these files are created you will need to make them into .db files | |||
postmap valias | |||
postmap transport | |||
postmap vmap | |||
===Dovecot=== | |||
Dovecot on Alpine will only do imap and imaps services for now. | |||
Most of dovecot is configured already for imap. You may have to gen the key as shown above. Just change the cnf file a little to say something about mail.domainname. | |||
ssl_cert_file = /etc/ssl/dovecot/server.pem | |||
ssl_cert_file = /etc/ssl/dovecot/key.pem | |||
mail_location = maildir:/var/spool/vhosts/&d/%n | |||
valid_chroot_dirs = /var/spool/vhosts | |||
passdb passwd-file { | |||
args = /etc/dovecot/passwd | |||
} | |||
userdb passwd-file { | |||
args = /etc/dovecot/users | |||
} | |||
#section for postfix sasl auth | |||
socket listen { | |||
client { | |||
path = /var/spool/postfix/private/auth | |||
user = postfix | |||
group = postfix | |||
mode = 0660 | |||
} | |||
} | |||
To generate the passwords you can use the dovecotpw command. | |||
dovecotpw -s MD5-CRYPT | |||
The hash below can be used for the password test123 | |||
The /etc/dovecot/passwd file should look like this: | |||
user1@example.net:$1$tz5sbjAD$Wq9.NkSyNo/oElzFgI68.0 | |||
user2@example.net:$1$tz5sbjAD$Wq9.NkSyNo/oElzFgI68.0 | |||
THe /etc/dovecot/userdb file should look like this: | |||
user1@example.net::1004:1004::/var/spool/vhosts/example.net/:/bin/false:: | |||
user2@example.net::1004:1004::/var/spool/vhosts/example.net/:/bin/false:: | |||
user@domain::uid : gid of found in virtual_uid_maps::location of maildir:shell:: | |||
===Clamsmtpd=== | |||
Configure according to instructions [[Protecting your email server with Alpine]] | |||
===Gross=== | |||
Configure according to instructions [[Protecting your email server with Alpine]] | |||
===Final Steps === | |||
Start the services and make sure to rc_add them | |||
/etc/init.d/postfix start | |||
rc_add -k postfix | |||
Revision as of 20:19, 25 June 2008
Introduction
This information was pulled from a few other pages on the Alpine Wiki website, see links, along with the websites for the particular packages. It is a suggestion/step by step instruction guide.
You might be wondering, why would anyone want to run Web and Email services off a Linux install that runs in ram? Good question. With Vservers we can run the host in Memory and do all sorts of things with the guests. Put the guests on DAS in the host machine or do raided iSCSI for the guest. This way if your disks start going bad or drop off entirely you most likely will be able to get at the data from a running system.
Guest OS here or
[Host Alpine Box] --------------------- [DAS]
| |
| |Guest OS here
| |
iSCSI iSCSI
Vserver
A great install doc can be found here. Setting up a basic vserver
Notes have been added to use guest OS other than Alpine. Take care to make sure that the /tmp directory is not being found in fstab for the vserver.
Also remember that you will have to do all Firewall configuration from the Host machine.
If you are running different versions of alpine or don't want to mess with getting the vserver to use a package stored on the Disk just point your apks to somewhere else.
vi /etc/apk/apk.conf APK_PATH=http://dev.alpinelinux.org/alpine/v1.7/apks
Web Services
There are many http servers out there. Alpine comes with a few different ones. We will be using lighttpd.
apk_fetch -u apk_get install lighttpd openssl php
Most everything is already taken care of with lighttpd. Make sure to uncomment the ssl options
ssl.engine = "enable" ssl.pemfile = "/etc/lighttpd/server.pem"
/etc/init.d/lighttpd start
See below for generating the server.pem
Now you can start using lighttpd and start making your own website. Alpine come with phpBB and mediawiki if you want to use those. You may have to use a sql database.
Generating the Server.pem
For other services we are also going to be using ssl. An easy way to just start using it is generating your own self sign cert. Script and Configuration file taken from setup-webconf script on Alpine.
ssl.cnf [ req ] default_bits = 1024 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type prompt = no
[ req_dn ] OU=HTTPS server CN=example.net emailAddress=postmaster@example.net
[ cert_type ] nsCertType = server
ssl.sh #/bin/sh openssl genrsa 512/1024 >server.pem
openssl req -new -key server.pem -days 365 -out request.pem
openssl genrsa 2048 > keyfile.pem
openssl req -new -x509 -nodes -sha1 -days 3650 -key keyfile.pem \ -config ssl.cnf > server.pem cat keyfile.pem >> server.pem
If you use this to generate the ssl certs for other services you may just change the req_dn information.
Mail Services
Some of the information presented can be found here also. This though is for a email gateway. Protecting your email server with Alpine
apk_get install postfix dovecot clamav clamsmtpd gross
Postfix
Postfix has a few things that need to be added to its configuration so that it can send email through clamav and also so it will accept mail for domains and users.
Main.cf
vi /etc/postfix/main.cf #/etc/postfix/main.cf myhostname = mx.example.net mydomain = example.net relayhost = #blank will do dns lookups for destinations home_maildir = Maildir/ smtpd_banner = $myhostname ESMTP #The way postfix answers. transport_maps = hash:/etc/postfix/transport #Place to add how you want to route domains. See example below. Show how to host more than one domain. local_transport = virtual virtual_mailbox_domains = example.net, bobo.net #list of hosted domains virtual_mailbox_base = /var/spool/vhosts virtual_uid_maps = static:1004 # uid of user to be used to read/write mail virtual_gid_maps = static:1004 # gid of user to be used to read/write mail virtual_alias_maps = hash:/etc/postfix/valias #alias for each different hosted domain. See below. virtual_mailbox_maps = hash:/etc/postfix/vmap #where and what mailbox to drop the mail to. See below. smtpd_helo_required = yes disable_vrfy_command = yes content_filter = scan:[127.0.0.1]:10025 # clamscan to be configured later smtpd_recipient_restrictions = reject_unauth_pipelining, permit_sasl_authenticated,permit_mynetworks,reject_invalid_hostname, reject_non_fqdn_hostname,reject_non_fqdn_sender, reject_non_fqdn_recipient,reject_unknown_sender_domain, reject_unknown_recipient_domain,reject_unauth_destination,
check_policy_service inet:127.0.0.1:5525,permit
smtpd_data_restrictions = reject_unauth_pipelining, permit smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth
smtpd_tls_cert_file = /etc/ssl/postfix/server.pem smtpd_tls_key_file = $smtpd_tls_cert_file
Master.cf
Settings in the master.cf for virus/spam scanning. Add these to the end of the file. Similar to those found Protecting your email server with Alpine.
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
-o smtp_enforce_tsl=no
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_host=127.0.0.1/8
Valias
#etc/postfix/valias postmaster@example.net user1@example.net hostmaster@example.net user2@example.net hostmaster@bobo.net user1@example.net postmaster@bobo.net user2@bobo.net
Vmap
#/etc/postfix/vmap user1@example.net example.net/user1 user2@example.net example.net/user2 @example.net example.net/catchall #everyone else doesn't match rule above
Transport
#/etc/postfix/transport example.net virtual: bobo.net virtual: foo.net smtp:1.2.3.4 #send foo.net through this smtp server * : #everything else go through relayhost rule
Once these files are created you will need to make them into .db files
postmap valias postmap transport postmap vmap
Dovecot
Dovecot on Alpine will only do imap and imaps services for now.
Most of dovecot is configured already for imap. You may have to gen the key as shown above. Just change the cnf file a little to say something about mail.domainname.
ssl_cert_file = /etc/ssl/dovecot/server.pem ssl_cert_file = /etc/ssl/dovecot/key.pem
mail_location = maildir:/var/spool/vhosts/&d/%n
valid_chroot_dirs = /var/spool/vhosts
passdb passwd-file {
args = /etc/dovecot/passwd
}
userdb passwd-file {
args = /etc/dovecot/users
}
#section for postfix sasl auth
socket listen {
client {
path = /var/spool/postfix/private/auth
user = postfix
group = postfix
mode = 0660
}
}
To generate the passwords you can use the dovecotpw command.
dovecotpw -s MD5-CRYPT
The hash below can be used for the password test123
The /etc/dovecot/passwd file should look like this:
user1@example.net:$1$tz5sbjAD$Wq9.NkSyNo/oElzFgI68.0 user2@example.net:$1$tz5sbjAD$Wq9.NkSyNo/oElzFgI68.0
THe /etc/dovecot/userdb file should look like this:
user1@example.net::1004:1004::/var/spool/vhosts/example.net/:/bin/false:: user2@example.net::1004:1004::/var/spool/vhosts/example.net/:/bin/false:: user@domain::uid : gid of found in virtual_uid_maps::location of maildir:shell::
Clamsmtpd
Configure according to instructions Protecting your email server with Alpine
Gross
Configure according to instructions Protecting your email server with Alpine
Final Steps
Start the services and make sure to rc_add them
/etc/init.d/postfix start rc_add -k postfix