Cheap VPS & Xen Server

Residential Proxy Network - Hourly & Monthly Packages

The Perfect Server – Ubuntu 12.04 LTS (Apache2, BIND, Dovecot, ISPConfig 3)


This tutorial shows how to prepare an Ubuntu 12.04 LTS (Precise Pangolin) server (with Apache2, BIND, Dovecot) for the installation of ISPConfig 3, and how to install ISPConfig 3. ISPConfig 3 is a webhosting control panel that allows you to configure the following services through a web browser: Apache or nginx web server, Postfix mail server, Courier or Dovecot IMAP/POP3 server, MySQL, BIND or MyDNS nameserver, PureFTPd, SpamAssassin, ClamAV, and many more. This setup covers Apache (instead of nginx), BIND (instead of MyDNS), and Dovecot (instead of Courier).

Please note that this setup does not work for ISPConfig 2! It is valid for ISPConfig 3 only!

I do not issue any guarantee that this will work for you!

 

1 Requirements

To install such a system you will need the following:

  • the Ubuntu 12.04 LTS server CD, available here: http://releases.ubuntu.com/releases/12.04/ubuntu-12.04-server-i386.iso (i386) or http://releases.ubuntu.com/releases/12.04/ubuntu-12.04-server-amd64.iso (x86_64)
  • a fast Internet connection.

 

2 Preliminary Note

In this tutorial I use the hostname server1.example.com with the IP address 192.168.0.100 and the gateway 192.168.0.1. These settings might differ for you, so you have to replace them where appropriate.

 

3 The Base System

Insert your Ubuntu install CD into your system and boot from it. Select your language:

1

Then select Install Ubuntu Server:

2

Choose your language again (?):

3

Then select your location:

4

5

6

If you’ve selected an uncommon combination of language and location (like English as the language and Germany as the location, as in my case), the installer might tell you that there is no locale defined for this combination; in this case you have to select the locale manually. I select en_US.UTF-8 here:

7

Choose a keyboard layout (you will be asked to press a few keys, and the installer will try to detect your keyboard layout based on the keys you pressed):

8

9

The installer checks the installation CD, your hardware, and configures the network with DHCP if there is a DHCP server in the network:

10

11

Enter the hostname. In this example, my system is called server1.example.com, so I enter server1:

12

Create a user, for example the user Administrator with the user name administrator (don’t use the user name admin as it is a reserved name on Ubuntu 12.04):

13

14

15

16

I don’t need an encrypted private directory, so I choose No here:

17

Please check if the installer detected your time zone correctly. If so, select Yes, otherwise No:

18

Now you have to partition your hard disk. For simplicity’s sake I select Guided – use entire disk and set up LVM – this will create one volume group with two logical volumes, one for the / file system and another one for swap (of course, the partitioning is totally up to you – if you know what you’re doing, you can also set up your partitions manually).

19

Select the disk that you want to partition:

20

When you’re asked Write the changes to disks and configure LVM?, select Yes:

21

If you have selected Guided – use entire disk and set up LVM, the partitioner will create one big volume group that uses all the disk space. You can now specify how much of that disk space should be used by the logical volumes for / and swap. It makes sense to leave some space unused so that you can later on expand your existing logical volumes or create new ones – this gives you more flexibility.

22

When you’re finished, hit Yes when you’re asked Write the changes to disks?:

23

Afterwards, your new partitions are being created and formatted:

24

Now the base system is being installed:

25

Next the package manager apt gets configured. Leave the HTTP proxy line empty unless you’re using a proxy server to connect to the Internet:

27

28

I’m a little bit old-fashioned and like to update my servers manually to have more control, therefore I select No automatic updates. Of course, it’s up to you what you select here:

30

We need a DNS, mail, and LAMP server, but nevertheless I don’t select any of them now because I like to have full control over what gets installed on my system. We will install the needed packages manually later on. The only item I select here is OpenSSH server so that I can immediately connect to the system with an SSH client such as PuTTY after the installation has finished:

31

The installation continues:

32

The GRUB boot loader gets installed:

33

Select Yes when you are asked Install the GRUB boot loader to the master boot record?:

34

The base system installation is now finished. Remove the installation CD from the CD drive and hit Continue to reboot the system:

35

On to the next step…

4 Get root Privileges

After the reboot you can login with your previously created username (e.g. administrator). Because we must run all the steps from this tutorial with root privileges, we can either prepend all commands in this tutorial with the string sudo, or we become root right now by typing

sudo su

(You can as well enable the root login by running

sudo passwd root

and giving root a password. You can then directly log in as root, but this is frowned upon by the Ubuntu developers and community for various reasons. See http://ubuntuforums.org/showthread.php?t=765414.)

5 Install The SSH Server (Optional)

If you did not install the OpenSSH server during the system installation, you can do it now:

apt-get install ssh openssh-server

From now on you can use an SSH client such as PuTTY and connect from your workstation to your Ubuntu 12.04 server and follow the remaining steps from this tutorial.

 

6 Install vim-nox (Optional)

I’ll use vi as my text editor in this tutorial. The default vi program has some strange behaviour on Ubuntu and Debian; to fix this, we install vim-nox:

apt-get install vim-nox

(You don’t have to do this if you use a different text editor such as joe or nano.)

 

7 Configure The Network

Because the Ubuntu installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.0.100 and the DNS servers 8.8.8.8 and 8.8.4.4 – starting with Ubuntu 12.04, you cannot edit /etc/resolv.conf directly anymore, but have to specify your nameservers in your network configuration – see

man resolvconf

for more details):

vi /etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
        address 192.168.0.100
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.1
        dns-nameservers 8.8.8.8 8.8.4.4

Then restart your network:

/etc/init.d/networking restart

Then edit /etc/hosts. Make it look like this:

vi /etc/hosts

127.0.0.1       localhost.localdomain   localhost
192.168.0.100   server1.example.com     server1

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Now run

echo server1.example.com > /etc/hostname
/etc/init.d/hostname restart

Afterwards, run

hostname
hostname -f

Both should show server1.example.com now.

 

8 Edit /etc/apt/sources.list And Update Your Linux Installation

Edit /etc/apt/sources.list. Comment out or remove the installation CD from the file and make sure that the universe and multiverse repositories are enabled. It should look like this:

vi /etc/apt/sources.list

#

# deb cdrom:[Ubuntu-Server 12.04 LTS _Precise Pangolin_ - Release amd64 (20120424.1)]/ dists/precise/main/binary-i386/
# deb cdrom:[Ubuntu-Server 12.04 LTS _Precise Pangolin_ - Release amd64 (20120424.1)]/ dists/precise/restricted/binary-i386/
# deb cdrom:[Ubuntu-Server 12.04 LTS _Precise Pangolin_ - Release amd64 (20120424.1)]/ precise main restricted

#deb cdrom:[Ubuntu-Server 12.04 LTS _Precise Pangolin_ - Release amd64 (20120424.1)]/ dists/precise/main/binary-i386/
#deb cdrom:[Ubuntu-Server 12.04 LTS _Precise Pangolin_ - Release amd64 (20120424.1)]/ dists/precise/restricted/binary-i386/
#deb cdrom:[Ubuntu-Server 12.04 LTS _Precise Pangolin_ - Release amd64 (20120424.1)]/ precise main restricted

# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://de.archive.ubuntu.com/ubuntu/ precise main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ precise main restricted

## Major bug fix updates produced after the final release of the
## distribution.
deb http://de.archive.ubuntu.com/ubuntu/ precise-updates main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ precise-updates main restricted

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
deb http://de.archive.ubuntu.com/ubuntu/ precise universe
deb-src http://de.archive.ubuntu.com/ubuntu/ precise universe
deb http://de.archive.ubuntu.com/ubuntu/ precise-updates universe
deb-src http://de.archive.ubuntu.com/ubuntu/ precise-updates universe

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://de.archive.ubuntu.com/ubuntu/ precise multiverse
deb-src http://de.archive.ubuntu.com/ubuntu/ precise multiverse
deb http://de.archive.ubuntu.com/ubuntu/ precise-updates multiverse
deb-src http://de.archive.ubuntu.com/ubuntu/ precise-updates multiverse

## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb http://de.archive.ubuntu.com/ubuntu/ precise-backports main restricted universe multiverse
deb-src http://de.archive.ubuntu.com/ubuntu/ precise-backports main restricted universe multiverse

deb http://security.ubuntu.com/ubuntu precise-security main restricted
deb-src http://security.ubuntu.com/ubuntu precise-security main restricted
deb http://security.ubuntu.com/ubuntu precise-security universe
deb-src http://security.ubuntu.com/ubuntu precise-security universe
deb http://security.ubuntu.com/ubuntu precise-security multiverse
deb-src http://security.ubuntu.com/ubuntu precise-security multiverse

## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
# deb http://archive.canonical.com/ubuntu precise partner
# deb-src http://archive.canonical.com/ubuntu precise partner

## Uncomment the following two lines to add software from Ubuntu's
## 'extras' repository.
## This software is not part of Ubuntu, but is offered by third-party
## developers who want to ship their latest software.
# deb http://extras.ubuntu.com/ubuntu precise main
# deb-src http://extras.ubuntu.com/ubuntu precise main

Then run

apt-get update

to update the apt package database and

apt-get upgrade

to install the latest updates (if there are any). If you see that a new kernel gets installed as part of the updates, you should reboot the system afterwards:

reboot

 

9 Change The Default Shell

/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore we do this:

dpkg-reconfigure dash

Use dash as the default system shell (/bin/sh)? <– No

If you don’t do this, the ISPConfig installation will fail.

 

10 Disable AppArmor

AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion you don’t need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn’t working as expected, and then you find out that everything was ok, only AppArmor was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).

We can disable it like this:

/etc/init.d/apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils

 

11 Synchronize the System Clock

It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the Internet. Simply run

apt-get install ntp ntpdate

and your system time will always be in sync.

12 Install Postfix, Dovecot, MySQL, phpMyAdmin, rkhunter, binutils

We can install Postfix, Dovecot, MySQL, rkhunter, and binutils with a single command:

apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo

You will be asked the following questions:

New password for the MySQL “root” user: <– yourrootsqlpassword
Repeat password for the MySQL “root” user: <– yourrootsqlpassword
General type of mail configuration: <– Internet Site
System mail name: <– server1.example.com

Next open the TLS/SSL and submission ports in Postfix:

vi /etc/postfix/master.cf

Uncomment the submission and smtps sections (leave -o milter_macro_daemon_name=ORIGINATING as we don’t need it):

[...]
submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
[...]

Restart Postfix afterwards:

/etc/init.d/postfix restart

We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:

vi /etc/mysql/my.cnf

[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           = 127.0.0.1
[...]

Then we restart MySQL:

/etc/init.d/mysql restart

Now check that networking is enabled. Run

netstat -tap | grep mysql

The output should look like this:

root@server1:~# netstat -tap | grep mysql
tcp        0      0 *:mysql                 *:*                     LISTEN      21298/mysqld
root@server1:~#

 

13 Install Amavisd-new, SpamAssassin, And Clamav

To install amavisd-new, SpamAssassin, and ClamAV, we run

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl

The ISPConfig 3 setup uses amavisd which loads the SpamAssassin filter library internally, so we can stop SpamAssassin to free up some RAM:

/etc/init.d/spamassassin stop
update-rc.d -f spamassassin remove

 

14 Install Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, And mcrypt

Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, and mcrypt can be installed as follows:

apt-get install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-curl php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-ruby libapache2-mod-python libapache2-mod-perl2

You will see the following question:

Web server to reconfigure automatically: <– apache2
Configure database for phpmyadmin with dbconfig-common? <– No

Then run the following command to enable the Apache modules suexec, rewrite, ssl, actions, and include (plus dav, dav_fs, and auth_digest if you want to use WebDAV):

a2enmod suexec rewrite ssl actions include

a2enmod dav_fs dav auth_digest

Restart Apache afterwards:

/etc/init.d/apache2 restart

If you want to host Ruby files with the extension .rb on your web sites created through ISPConfig, you must comment out the line application/x-ruby rb in /etc/mime.types:

vi /etc/mime.types

[...]
#application/x-ruby                             rb
[...]

(This is needed only for .rb files; Ruby files with the extension .rbx work out of the box.)

Restart Apache afterwards:

/etc/init.d/apache2 restart

 

14.1 Xcache

Xcache is a free and open PHP opcode cacher for caching and optimizing PHP intermediate code. It’s similar to other PHP opcode cachers, such as eAccelerator and APC. It is strongly recommended to have one of these installed to speed up your PHP page.

Xcache can be installed as follows:

apt-get install php5-xcache

Now restart Apache:

/etc/init.d/apache2 restart

 

14.2 PHP-FPM

Starting with the upcoming ISPConfig 3.0.5, there will be an additional PHP mode that you can select for usage with Apache: PHP-FPM. If you plan to use this PHP mode, it makes sense to configure your system for it now so that later on when you upgrade to ISPConfig 3.0.5, your system is prepared (the latest ISPConfig version at the time of this writing is ISPConfig 3.0.4.4).

To use PHP-FPM with Apache, we need the mod_fastcgi Apache module (please don’t mix this up with mod_fcgid – they are very similar, but you cannot use PHP-FPM with mod_fcgid). We can install PHP-FPM and mod_fastcgi as follows:

apt-get install libapache2-mod-fastcgi php5-fpm

Make sure you enable the module and restart Apache:

a2enmod actions fastcgi alias
/etc/init.d/apache2 restart

 

15 Install Mailman

Since version 3.0.4, ISPConfig also allows you to manage (create/modify/delete) Mailman mailing lists. If you want to make use of this feature, install Mailman as follows:

apt-get install mailman

Select at least one language, e.g.:

Languages to support: <– en (English)

Before we can start Mailman, a first mailing list called mailman must be created:

newlist mailman

root@server1:~# newlist mailman
Enter the email of the person running the list:
 <– admin email address, e.g. listadmin@example.com
Initial mailman password: <– admin password for the mailman list
To finish creating your mailing list, you must edit your /etc/aliases (or
equivalent) file by adding the following lines, and possibly running the
`newaliases’ program:

## mailman mailing list
mailman:              “|/var/lib/mailman/mail/mailman post mailman”
mailman-admin:        “|/var/lib/mailman/mail/mailman admin mailman”
mailman-bounces:      “|/var/lib/mailman/mail/mailman bounces mailman”
mailman-confirm:      “|/var/lib/mailman/mail/mailman confirm mailman”
mailman-join:         “|/var/lib/mailman/mail/mailman join mailman”
mailman-leave:        “|/var/lib/mailman/mail/mailman leave mailman”
mailman-owner:        “|/var/lib/mailman/mail/mailman owner mailman”
mailman-request:      “|/var/lib/mailman/mail/mailman request mailman”
mailman-subscribe:    “|/var/lib/mailman/mail/mailman subscribe mailman”
mailman-unsubscribe:  “|/var/lib/mailman/mail/mailman unsubscribe mailman”

Hit enter to notify mailman owner… <– ENTER

root@server1:~#

Open /etc/aliases afterwards…

vi /etc/aliases

… and add the following lines:

[...]
## mailman mailing list
mailman:              "|/var/lib/mailman/mail/mailman post mailman"
mailman-admin:        "|/var/lib/mailman/mail/mailman admin mailman"
mailman-bounces:      "|/var/lib/mailman/mail/mailman bounces mailman"
mailman-confirm:      "|/var/lib/mailman/mail/mailman confirm mailman"
mailman-join:         "|/var/lib/mailman/mail/mailman join mailman"
mailman-leave:        "|/var/lib/mailman/mail/mailman leave mailman"
mailman-owner:        "|/var/lib/mailman/mail/mailman owner mailman"
mailman-request:      "|/var/lib/mailman/mail/mailman request mailman"
mailman-subscribe:    "|/var/lib/mailman/mail/mailman subscribe mailman"
mailman-unsubscribe:  "|/var/lib/mailman/mail/mailman unsubscribe mailman"

Run

newaliases

afterwards and restart Postfix:

/etc/init.d/postfix restart

Finally we must enable the Mailman Apache configuration:

ln -s /etc/mailman/apache.conf /etc/apache2/conf.d/mailman.conf

This defines the alias /cgi-bin/mailman/ for all Apache vhosts, which means you can access the Mailman admin interface for a list at http://<vhost>/cgi-bin/mailman/admin/<listname>, and the web page for users of a mailing list can be found at http://<vhost>/cgi-bin/mailman/listinfo/<listname>.

Under http://<vhost>/pipermail you can find the mailing list archives.

Restart Apache afterwards:

/etc/init.d/apache2 restart

Then start the Mailman daemon:

/etc/init.d/mailman start

16 Install PureFTPd And Quota

PureFTPd and quota can be installed with the following command:

apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool

Edit the file /etc/default/pure-ftpd-common

vi /etc/default/pure-ftpd-common

… and make sure that the start mode is set to standalone and set VIRTUALCHROOT=true:

[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]

Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure.

If you want to allow FTP and TLS sessions, run

echo 1 > /etc/pure-ftpd/conf/TLS

In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:

mkdir -p /etc/ssl/private/

Afterwards, we can generate the SSL certificate as follows:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Country Name (2 letter code) [AU]: <– Enter your Country Name (e.g., “DE”).
State or Province Name (full name) [Some-State]:
<– Enter your State or Province Name.
Locality Name (eg, city) []:
<– Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
<– Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []:
<– Enter your Organizational Unit Name (e.g. “IT Department”).
Common Name (eg, YOUR name) []:
<– Enter the Fully Qualified Domain Name of the system (e.g. “server1.example.com”).
Email Address []:
<– Enter your Email Address.

Change the permissions of the SSL certificate:

chmod 600 /etc/ssl/private/pure-ftpd.pem

Then restart PureFTPd:

/etc/init.d/pure-ftpd-mysql restart

Edit /etc/fstab. Mine looks like this (I added ,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 to the partition with the mount point /):

vi /etc/fstab

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    nodev,noexec,nosuid 0       0
/dev/mapper/server1-root /               ext4    errors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0       1
# /boot was on /dev/sda1 during installation
UUID=4b58d345-1c55-4ac5-940e-7245938656a6 /boot           ext2    defaults        0       2
/dev/mapper/server1-swap_1 none            swap    sw              0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto,exec,utf8 0       0

To enable quota, run these commands:

mount -o remount /

quotacheck -avugm
quotaon -avug

 

17 Install BIND DNS Server

BIND can be installed as follows:

apt-get install bind9 dnsutils

 

18 Install Vlogger, Webalizer, And AWstats

Vlogger, webalizer, and AWstats can be installed as follows:

apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl

Open /etc/cron.d/awstats afterwards…

vi /etc/cron.d/awstats

… and comment out everything in that file:

#MAILTO=root
#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh
# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh

19 Install Jailkit

Jailkit is needed only if you want to chroot SSH users. It can be installed as follows (important: Jailkit must be installed before ISPConfig – it cannot be installed afterwards!):

apt-get install build-essential autoconf automake1.9 libtool flex bison debhelper binutils-gold

cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.14.tar.gz
tar xvfz jailkit-2.14.tar.gz
cd jailkit-2.14
./debian/rules binary

You can now install the Jailkit .deb package as follows:

cd ..
dpkg -i jailkit_2.14-1_*.deb
rm -rf jailkit-2.14*

 

20 Install fail2ban

This is optional but recommended, because the ISPConfig monitor tries to show the log:

apt-get install fail2ban

To make fail2ban monitor PureFTPd and Dovecot, create the file /etc/fail2ban/jail.local:

vi /etc/fail2ban/jail.local

[pureftpd]
enabled  = true
port     = ftp
filter   = pureftpd
logpath  = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

Then create the following two filter files:

vi /etc/fail2ban/filter.d/pureftpd.conf

[Definition]
failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.*
ignoreregex =

vi /etc/fail2ban/filter.d/dovecot-pop3imap.conf

[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =

Restart fail2ban afterwards:

/etc/init.d/fail2ban restart

21 Install SquirrelMail

To install the SquirrelMail webmail client, run

apt-get install squirrelmail

Then configure SquirrelMail:

squirrelmail-configure

We must tell SquirrelMail that we are using Dovecot-IMAP/-POP3:

SquirrelMail Configuration : Read: config.php (1.4.0)
———————————————————
Main Menu —
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  Themes
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Languages

D.  Set pre-defined settings for specific IMAP servers

C   Turn color on
S   Save data
Q   Quit

Command >> <– D

SquirrelMail Configuration : Read: config.php
———————————————————
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don’t work so
well with others.  If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct.  This does not change everything.  There are
only a few settings that this will change.

Please select your IMAP server:
bincimap    = Binc IMAP server
courier     = Courier IMAP server
cyrus       = Cyrus IMAP server
dovecot     = Dovecot Secure IMAP server
exchange    = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx      = Mac OS X Mailserver
mercury32   = Mercury/32
uw          = University of Washington’s IMAP server
gmail       = IMAP access to Google mail (Gmail) accounts

quit        = Do not change anything
Command >> <– dovecot

SquirrelMail Configuration : Read: config.php
———————————————————
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don’t work so
well with others.  If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct.  This does not change everything.  There are
only a few settings that this will change.

Please select your IMAP server:
bincimap    = Binc IMAP server
courier     = Courier IMAP server
cyrus       = Cyrus IMAP server
dovecot     = Dovecot Secure IMAP server
exchange    = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx      = Mac OS X Mailserver
mercury32   = Mercury/32
uw          = University of Washington’s IMAP server
gmail       = IMAP access to Google mail (Gmail) accounts

quit        = Do not change anything
Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false

Press any key to continue… <– press a key

SquirrelMail Configuration : Read: config.php (1.4.0)
———————————————————
Main Menu —
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  Themes
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Languages

D.  Set pre-defined settings for specific IMAP servers

C   Turn color on
S   Save data
Q   Quit

Command >> <– S

SquirrelMail Configuration : Read: config.php (1.4.0)
———————————————————
Main Menu —
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  Themes
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Languages

D.  Set pre-defined settings for specific IMAP servers

C   Turn color on
S   Save data
Q   Quit

Command >> <– Q

Now we will configure SquirrelMail so that you can use it from within your web sites (created through ISPConfig) by using the /squirrelmail or /webmail aliases. So if your website is www.example.com, you will be able to access SquirrelMail using www.example.com/squirrelmail or www.example.com/webmail.

SquirrelMail’s Apache configuration is in the file /etc/squirrelmail/apache.conf, but this file isn’t loaded by Apache because it is not in the /etc/apache2/conf.d/ directory. Therefore we create a symlink called squirrelmail.conf in the /etc/apache2/conf.d/ directory that points to /etc/squirrelmail/apache.conf and reload Apache afterwards:

cd /etc/apache2/conf.d/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
/etc/init.d/apache2 reload

Now open /etc/apache2/conf.d/squirrelmail.conf

vi /etc/apache2/conf.d/squirrelmail.conf

… and add the following lines to the <Directory /usr/share/squirrelmail></Directory> container that make sure that mod_php is used for accessing SquirrelMail, regardless of what PHP mode you select for your website in ISPConfig:

[...]
<Directory /usr/share/squirrelmail>
  Options FollowSymLinks
  <IfModule mod_php5.c>
    AddType application/x-httpd-php .php
    php_flag magic_quotes_gpc Off
    php_flag track_vars On
    php_admin_flag allow_url_fopen Off
    php_value include_path .
    php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
    php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname:/var/spool/squirrelmail
    php_flag register_globals off
  </IfModule>
  <IfModule mod_dir.c>
    DirectoryIndex index.php
  </IfModule>
  # access to configtest is limited by default to prevent information leak
  <Files configtest.php>
    order deny,allow
    deny from all
    allow from 127.0.0.1
  </Files>
</Directory>
[...]

Create the directory /var/lib/squirrelmail/tmp

mkdir /var/lib/squirrelmail/tmp

… and make it owned by the user www-data:

chown www-data /var/lib/squirrelmail/tmp

Reload Apache again:

/etc/init.d/apache2 reload

That’s it already – /etc/apache2/conf.d/squirrelmail.conf defines an alias called /squirrelmail that points to SquirrelMail’s installation directory /usr/share/squirrelmail.

You can now access SquirrelMail from your web site as follows:

http://192.168.0.100/squirrelmail
http://www.example.com/squirrelmail

You can also access it from the ISPConfig control panel vhost (after you have installed ISPConfig, see the next chapter) as follows (this doesn’t need any configuration in ISPConfig):

http://server1.example.com:8080/squirrelmail

If you’d like to use the alias /webmail instead of /squirrelmail, simply open /etc/apache2/conf.d/squirrelmail.conf

vi /etc/apache2/conf.d/squirrelmail.conf

… and add the line Alias /webmail /usr/share/squirrelmail:

Alias /squirrelmail /usr/share/squirrelmail
Alias /webmail /usr/share/squirrelmail
[...]

Then reload Apache:

/etc/init.d/apache2 reload

Now you can access Squirrelmail as follows:

http://192.168.0.100/webmail
http://www.example.com/webmail
http://server1.example.com:8080/webmail
(after you have installed ISPConfig, see the next chapter)

36

If you’d like to define a vhost like webmail.example.com where your users can access SquirrelMail, you’d have to add the following vhost configuration to /etc/apache2/conf.d/squirrelmail.conf:

vi /etc/apache2/conf.d/squirrelmail.conf

[...]
<VirtualHost 1.2.3.4:80>
  DocumentRoot /usr/share/squirrelmail
  ServerName webmail.example.com
</VirtualHost>

Make sure you replace 1.2.3.4 with the correct IP address of your server. Of course, there must be a DNS record for webmail.example.com that points to the IP address that you use in the vhost configuration. Also make sure that the vhost webmail.example.com does not exist in ISPConfig (otherwise both vhosts will interfere with each other!).

Now reload Apache…

/etc/init.d/apache2 reload

… and you can access SquirrelMail under http://webmail.example.com!

22 Install ISPConfig 3

To install ISPConfig 3 from the latest released version, do this:

cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/

The next step is to run

php -q install.php

This will start the ISPConfig 3 installer. The installer will configure all services like Postfix, Dovecot, etc. for you. A manual setup as required for ISPConfig 2 (perfect setup guides) is not necessary.

root@server1:/tmp/ispconfig3_install/install# php -q install.php

——————————————————————————–
_____ ___________   _____              __ _         ____
|_   _/  ___| ___ \ /  __ \            / _(_)       /__  \
| | \ `–.| |_/ / | /  \/ ___  _ __ | |_ _  __ _    _/ /
| |  `–. \  __/  | |    / _ \| ‘_ \|  _| |/ _` |  |_ |
_| |_/\__/ / |     | \__/\ (_) | | | | | | | (_| | ___\ \
\___/\____/\_|      \____/\___/|_| |_|_| |_|\__, | \____/
__/ |
|___/
——————————————————————————–

>> Initial configuration

Operating System: Debian or compatible, unknown version.

Following will be a few questions for primary configuration so be careful.
Default values are in [brackets] and can be accepted with <ENTER>.
Tap in “quit” (without the quotes) to stop the installer.

Select language (en,de) [en]: <– ENTER

Installation mode (standard,expert) [standard]: <– ENTER

Full qualified hostname (FQDN) of the server, eg server1.domain.tld  [server1.example.com]: <– ENTER

MySQL server hostname [localhost]: <– ENTER

MySQL root username [root]: <– ENTER

MySQL root password []: <– yourrootsqlpassword

MySQL database to create [dbispconfig]: <– ENTER

MySQL charset [utf8]: <– ENTER

Generating a 2048 bit RSA private key
………..+++
…………………+++
writing new private key to ‘smtpd.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:
 <– ENTER
State or Province Name (full name) [Some-State]: <– ENTER
Locality Name (eg, city) []: <– ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <– ENTER
Organizational Unit Name (eg, section) []: <– ENTER
Common Name (e.g. server FQDN or YOUR name) []: <– ENTER
Email Address []: <– ENTER
Configuring Jailkit
Configuring Dovecot
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring Pureftpd
Configuring BIND
Configuring Apache
Configuring Vlogger
Configuring Apps vhost
Configuring Bastille Firewall
Configuring Fail2ban
Installing ISPConfig
ISPConfig Port [8080]:
 <– ENTER

Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: <– ENTER

Generating RSA private key, 4096 bit long modulus
…….++
…………………………………………………++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:
 <– ENTER
State or Province Name (full name) [Some-State]: <– ENTER
Locality Name (eg, city) []: <– ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <– ENTER
Organizational Unit Name (eg, section) []: <– ENTER
Common Name (e.g. server FQDN or YOUR name) []: <– ENTER
Email Address []: <– ENTER

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
 <– ENTER
An optional company name []: <– ENTER
writing RSA key
Configuring DBServer
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Restarting services …
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service mysql restart

Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the stop(8) and then start(8) utilities,
e.g. stop mysql ; start mysql. The restart(8) utility is also available.
mysql stop/waiting
mysql start/running, process 2543
* Stopping Postfix Mail Transport Agent postfix
/usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
…done.
* Starting Postfix Mail Transport Agent postfix
postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
/usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
/usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
/usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
/usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
/usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
/usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
/usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
/usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
/usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
/usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
/usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
/usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
/usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
/usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
/usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
/usr/sbin/postconf: warning: /etc/postfix/master.cf: unused parameter: smtpd_bind_address=127.0.0.1
…done.
Stopping amavisd: (not running).
The amavisd daemon is already running, PID: [1126]
Starting amavisd: (failed).
* Stopping ClamAV daemon clamd
…done.
* Starting ClamAV daemon clamd
…done.
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service dovecot restart

Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the stop(8) and then start(8) utilities,
e.g. stop dovecot ; start dovecot. The restart(8) utility is also available.
dovecot stop/waiting
dovecot start/running, process 3668
* Restarting Mailman master qrunner mailmanctl
* Waiting…
…done.
…done.
* Restarting web server apache2
… waiting .   …done.
Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -E -H -Y 1 -O clf:/var/log/pure-ftpd/transfer.log -8 UTF-8 -b -D -A -u 1000 -B
Installation completed.
root@server1:/tmp/ispconfig3_install/install#

The installer automatically configures all underlying services, so no manual configuration is needed.

You now also have the possibility to let the installer create an SSL vhost for the ISPConfig control panel, so that ISPConfig can be accessed using https:// instead of http://. To achieve this, just press ENTER when you see this question: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

Afterwards you can access ISPConfig 3 under

http(s)://server1.example.com:8080/ or http(s)://192.168.0.100:8080/ ( http or https depends on what you chose during installation). Log in with the username admin and the password admin (you should change the default password after your first login):

37

38

The system is now ready to be used.

 

 

23 Additional Notes

23.1 OpenVZ

If the Ubuntu server that you’ve just set up in this tutorial is an OpenVZ container (virtual machine), you should do this on the host system (I’m assuming that the ID of the OpenVZ container is 101 – replace it with the correct VPSID on your system):

VPSID=101
for CAP in CHOWN DAC_READ_SEARCH SETGID SETUID NET_BIND_SERVICE NET_ADMIN SYS_CHROOT SYS_NICE CHOWN DAC_READ_SEARCH SETGID SETUID NET_BIND_SERVICE NET_ADMIN SYS_CHROOT SYS_NICE
do
vzctl set $VPSID –capability ${CAP}:on –save
done

 

  • Ubuntu: http://www.ubuntu.com/
  • ISPConfig: http://www.ispconfig.org/

 

 

 

 

Comments

comments