Home / Linux Admin /

Setup an Email/Webserver/Jabber/DNS with ISPConfig On Debian 9

Note that this is fairly specific for Debian 9. The clamav component also appears to require that you run this on a server with at least 2 gigs of memory. (I had a 1 gig vm have clam crash after a few hours, requiring a reboot to get back up and running again. 2 gigs seems stable, but more is definitely better)

Confirm hostname is correct:
1. nano /etc/hosts
  - It should look something like this, if the server name is controlpanel and the domain name is yourdomain.com:
```
127.0.0.1   localhost
[localMachineIP - noBrackets]   controlpanel.yourdomain.com controlpanel

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
```
2. nano /etc/hostname
  - it should simply read the server name (controlpanel from the above example)
3. reboot the server
4. confirm:
  - hostname
  - hostname -f
Change default shell
- dpkg-reconfigure dash
  - answer no to using dash as the default system shell
  - ISPconfig relies on bash

Make sure you have contrib non-free tagged onto your current sources:

should look like (with server being whatever your current server is)

# deb http://server/debian/ stretch main
deb http://server/debian/ stretch main contrib non-free
deb-src http://server/debian/ stretch main contrib non-free
deb http://security.debian.org/debian-security stretch/updates main contrib non-free
deb-src http://security.debian.org/debian-security stretch/updates main contrib non-free

make sure to update packages before proceeding:
- apt update && apt upgrade -y
Install the following packages (apt install ... ... yes it's a doozy)
- ssh openssh-server nano dnsutils ntp postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd sudo amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl libdbd-mysql-perl postgrey git lua5.1 liblua5.1-0-dev lua-filesystem libidn11-dev libssl-dev lua-zlib lua-expat lua-event lua-bitop lua-socket lua-sec luarocks luarocks apache2 apache2-doc apache2-utils libapache2-mod-php libapache2-mod-fcgid apache2-suexec-pristine php-pear mcrypt imagemagick libruby libapache2-mod-python memcached php-memcache php-imagick php-gettext memcached libapache2-mod-passenger php-soap php php-common php-gd php-mysql php-imap phpmyadmin php-cli php-cgi php-mcrypt php-curl php-pspell php-recode php-sqlite3 php-tidy php-xmlrpc php-xsl php-intl php-zip php-mbstring certbot php-fpm php-opcache php-apcu pure-ftpd-common pure-ftpd-mysql quota quotatool bind9 dnsutils haveged webalizer awstats geoip-database libclass-dbi-mysql-perl libtimedate-perl build-essential autoconf automake libtool flex bison debhelper binutils fail2ban roundcube roundcube-core roundcube-mysql roundcube-plugins
- In no particular order, you will be asked the following questions about package configuration:
  - email:
    - type of mail configuration:
      - Internet site
    - system mail name (no brackets)
      - hostname.domain.tld
      - controlpanel.yourdomain.com in the earlier example
  - phpmyadmin (pma)
    - web server to reconfigure:
      - apache2
        
        note that you have to hit the spacebar to select your option before you hit okay
    - configure database for pma:
      - yes
    - pma application password
      - just hit enter
    - admin password
      - mysql root password (not set yet... will be set after everything installs, so make note of what you enter here to be used to set it to match)
  - roundcube:
    - configure database for roundcube:
      - yes
    - roundcube application password
      - just hit enter
    - database admin password
      - mysql root password (not set yet... will be set after everything installs, so make note of what you enter here to be used to set it to match)
Configure and secure MariaDB (MariaDB is a drop in replacement for MySQL):
1. mysql_secure_installation
  1. change the root password:
    - yes
  2. make note of the password for the sql root
  3. remove anonymous users:
    - yes
  4. disallow remote root login:
    - yes
  5. remove test database:
    - yes
  6. reload privilege tables:
    - yes
2. nano /etc/mysql/mariadb.conf.d/50-server.cnf
  - should look like (NO_ENGINE_SUBSTITUTION line is new):
```
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           = 127.0.0.1

sql-mode="NO_ENGINE_SUBSTITUTION"

[...]
```
3. echo "update mysql.user set plugin = 'mysql_native_password' where user='root';" | mysql -u root
  - does something for PHPMyAdmin
4. nano /etc/mysql/debian.cnf
  - should look like:
```
# Automatically generated for Debian scripts. DO NOT TOUCH!
[client]
host = localhost
user = root
password = [rootSQLpasswordNobrackets]
socket = /var/run/mysqld/mysqld.sock
[mysql_upgrade]
host = localhost
user = root
password = [rootSQLpasswordNobrackets]
socket = /var/run/mysqld/mysqld.sock
basedir = /usr
```
5. service mysql restart
6. if you want to confirm that it's running with networking
  - netstat -tulpn and look for an entry for mysqld LISTENING on port 3306
Stop spamassassin service (ispconfig just uses the libraries and the service is unnecessary)
1. service spamassassin stop
2. systemctl disable spamassassin

Configure Postfix:

nano /etc/postfix/master.cf

should look like:

[...]
submission inet n - - - - smtpd
 -o syslog_name=postfix/submission
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
 -o syslog_name=postfix/smtps
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]

Configure Mailman (optional - not recommended)
- I don't know what this is, but apparently we need to create a first mailing list:
  1. apt install mailman
    - languages to support
      - choose at least one
    - missing site list
      - ok
  2. newlist mailman
    - enter email of person running list:
      - enter an email, can probably be one that isn't created yet
    - initial mailman password
      - create a password i think?
    - says something about how the following lines need to be included in /etc/aliases
  3. nano /etc/aliases
    - paste the previous lines in
  4. newaliases
  5. follow it up with service postfix restart
  6. ln -s /etc/mailman/apache.conf /etc/apache2/conf-enabled/mailman.conf
    - apparently can access things through http://[hostname.domain.com]/cgi-bin/mailman/admin and http://[hostname.domain.com]/cgi-bin/mailman/listinfo
  7. service mailman start

Configure Metronome for Jabber (optional)
1. Add the following repository to apt sources:
  - echo "deb http://packages.prosody.im/debian stretch main" > /etc/apt/sources.list.d/metronome.list
  - wget http://prosody.im/files/prosody-debian-packages.key -O - | sudo apt-key add -
2. luarocks install lpc
3. adduser --no-create-home --disabled-login --gecos 'Metronome' metronome
4. cd /opt; git clone https://github.com/maranda/metronome.git metronome
5. cd ./metronome; ./configure --ostype=debian --prefix=/usr
6. make
7. make install
configure Roundcube
1. nano /etc/roundcube/config.inc.php
  - make sure these values are set:
```
$config['default_host'] = 'localhost';
$config['smtp_server'] = 'localhost';
```
2. nano /etc/apache2/conf-enabled/roundcube.conf
  - add the following line:
    - Alias /webmail /var/lib/roundcube
3. Now is accessible via http://[hostname.domain.com]/webmail
Configure Apache
1. enable modules:
  - a2enmod suexec rewrite ssl actions include dav_fs dav auth_digest cgi headers actions proxy_fcgi alias
2. workaround HTTPOXY vulnerability
  1. nano /etc/apache2/conf-available/httpoxy.conf
    - contents should be:
```
<IfModule mod_headers.c>
    RequestHeader unset Proxy early
</IfModule>
```
  2. a2enconf httpoxy
  3. service apache2 restart
3. fix PHPMyAdmin access (if you forgot to hit the spacebar for apache earlier)
  1. ln -s /etc/phpmyadmin/apache.conf /etc/apache2/conf-enabled/phpmyadmin.conf
Configure PureFTPd
1. nano /etc/default/pure-ftpd-common
  - should look like:
```
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
```
2. echo 1 > /etc/pure-ftpd/conf/TLS
3. echo "40000 45000" > /etc/pure-ftpd/conf/PassivePortRange
  - This sets a range on the ports than can be used for passive connections. Now that you know the port range, you can continue using your firewall to safely open ports in that range.
4. /etc/init.d/pure-ftpd-mysql restart
5. Cert will be linked after ISPConfig is installed
Configure quota
1. nano /etc/fstab
  - add ,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 to the partition with mount point of /
  - should look vaguely like:
```
/dev/sda1 / ext4 errors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0 1
```
2. mount -o remount /
3. quotacheck -avugm
4. quotaon -avug
Make AWStats sane
1. nano /etc/cron.d/awstats
2. comment all lines to start with #
Install Jailkit (This NEEDS to be done before running the isp config install!)
1. cd /tmp
2. wget http://olivier.sessink.nl/jailkit/jailkit-2.19.tar.gz
3. tar xvfz jailkit-2.19.tar.gz
4. cd jailkit-2.19
5. echo 5 > debian/compat
6. ./debian/rules binary
7. cd ..
8. dpkg -i jailkit_2.19-1_*.deb
9. rm -rf jailkit-2.19*

Configure fail2ban

nano /etc/fail2ban/jail.local

insert following contents:

[pure-ftpd]
enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/syslog
maxretry = 3

[dovecot]
enabled = true
filter = dovecot
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3

service fail2ban restart

Run ISPConfig setup
1. cd /tmp
2. wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
3. tar -zxvf ISPConfig-3-stable.tar.gz
4. cd ispconfig3_install/install/
5. php -q install.php
  - you'll be asked a series of questions. Most of them are fairly obvious, but here are the ones I've deemed questionable:
    - installation mode:
      - standard
    - set main page to use secure access/ssl (i don't remember the exact phrasing)
    - certificate questions:
      - for the most part, these should/will be replaced with letsencrypt, so they PROBABLY don't matter? Still, try to answer them appropriately. As for the last couple questions about a challenge password and company name, you can skip those.
ControlPanel SSL (This section assumes you're server is properly networked at this point, can be accessed from the internet, and dns is configured) - credit for this section
1. if you haven't set up the control panel for secure access, you will need to run ispconfig_update.sh
2. create a site matching the FQDN of the server (controlpanel.yourdomain.com from the earlier example)
3. in the settings for the new site, turn on ssl with letsencrypt
4. Once it has setup the site and created the certificate, use the downloaded letsencrypt certificate to configure the control panel certificate
  1. cd /usr/local/ispconfig/interface/ssl/
  2. mkdir $(date +"%y%m%d%H%M%S").bak
  3. mv ispserver.* [the new folder that was just created no brackets]
  4. ln -s /etc/letsencrypt/live/$(hostname -f)/fullchain.pem ispserver.crt
  5. ln -s /etc/letsencrypt/live/$(hostname -f)/privkey.pem ispserver.key
  6. cat ispserver.{key,crt} > ispserver.pem
  7. chmod 600 ispserver.pem
5. Configure postfix:
  1. cd /etc/postfix/
  2. mv smtpd.cert smtpd.cert-$(date +"%y%m%d%H%M%S").bak
  3. mv smtpd.key smtpd.key-$(date +"%y%m%d%H%M%S").bak
  4. ln -s /usr/local/ispconfig/interface/ssl/ispserver.crt smtpd.cert
  5. ln -s /usr/local/ispconfig/interface/ssl/ispserver.key smtpd.key
  6. service postfix restart
  7. service dovecot restart
6. Configure dovecot:
  1. nano /etc/dovecot/dovecot.conf
  2. confirm the following exists in the file:
```
[...]
ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key
[...]
```
  3. service dovecot restart
    - only necessary if there were any changes
7. Configure pure-ftpd:
  1. cd /etc/ssl/private/
  2. mv pure-ftpd.pem pure-ftpd.pem-$(date +"%y%m%d%H%M%S").bak
  3. ln -s /usr/local/ispconfig/interface/ssl/ispserver.pem pure-ftpd.pem
  4. chmod 600 pure-ftpd.pem
  5. service pure-ftpd-mysql restart
8. Automate the updates:
  1. we will be installing a utility called incron. It's essentially cron, but instead of being activated by time intervals, it is activated by file modification or activity
  2. apt install -y incron
  3. nano /etc/init.d/le_ispc_pem.sh
  4. copy/paste the following contents:
```
#!/bin/sh
### BEGIN INIT INFO
# Provides:  LE ISPSERVER.PEM AUTO UPDATER
# Required-Start:  $local_fs $network
# Required-Stop:  $local_fs
# Default-Start:  2 3 4 5
# Default-Stop:  0 1 6
# Short-Description:  LE ISPSERVER.PEM AUTO UPDATER
# Description:  Update ispserver.pem automatically after ISPC LE SSL certs are renewed.
### END INIT INFO
cd /usr/local/ispconfig/interface/ssl/
mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak
cat ispserver.{key,crt} > ispserver.pem
chmod 600 ispserver.pem
chmod 600 /etc/ssl/private/pure-ftpd.pem
service pure-ftpd-mysql restart
service postfix restart
service dovecot restart
service apache2 restart
```
  5. chmod +x /etc/init.d/le_ispc_pem.sh
  6. echo "root" >> /etc/incron.allow
  7. incrontab -e
  8. enter the following contents:
    - /etc/letsencrypt/archive/$(hostname -f)/ IN_MODIFY ./etc/init.d/le_ispc_pem.sh
  9. you might be able to get away with service apache2 restart or just reboot your server
confirm the following ports are open on firewall (not comprehensive)
- 21
- 22
- 25
- 53
- 80
- 110
- 143
- 443
- 953
- 993
- 995
- 40000:45000/tcp
- whatever you had the admin portal on (8080 is default)

Please give credit to this walkthrough which much of this is based off of.

this document last modified: March 27 2018 00:10

popout article

permalink

Home / Linux Admin /