SOLVED ISPconfig 3 Ubuntu postfix+dovecot+roundcube
I decided to try a multiserver setup.
The mail control panel server also as function of mail server.
Followed 2 tutorials: http://www.howtoforge.com/perfect-se...ispconfig-3-p7
Also, I have 2 STARTSSL certificates:
1 for the control panel port 8080 https://cp.mydomain.com:8080
1 for the webmail https://mail.mydomain.com
(the last one was tricky since I'm not using a wildcard SSL, but successfully manage to change the roundcube.conf to respond using the correct mail SSL certificate and to respond to the domain instead of domain/webmail.
For this is used the how-to http://www.howtoforge.com/securing-y...om-startssl-p2
the only difference from the above tutorial was postfix and dovecot, I changed them to reflect the mail SSL and not the ispconfig3 cp.mydomain SSL.
So far so good, everything responded fine.
I already created email accounts in ISPconfig3. When trying to login in roundcube https://mail.mydomain.com I'm getting login failed.
Checking the /var/log/mail.err:
3 warning lines with the 3 dovecot SSL entries, althought it's a warning it creates a lot of logging :(
getting a few more errors in /var/mail.err
Thanks for the help... :) great community
What exactly did you do to solve this?
For some reason my postfix installation had no SSL cert. Reading the how-to there's no mention to it. So I had to do a bunch of things, from the top of my head, bellow are some important steps.
Made sure that postfix, dovecot and roundcube were using the same SSL "mail" and not the ISPConfig "cp" SSL.
Although the "mail" SSL location files are different (just copies). That's something I'm going to implement next, because it will be easier to replace when they expire, postfix, dovecot and apache2 will pull the SSL "mail" from the same location.
So, to start I added my mail.domain.com STARTSSL to postifix main.cf
ln -s /etc/ssl/roundcube/ssl.crt smtpd.cert
ln -s /etc/ssl/roundcube/ssl.key smtpd.key
smtp_use_tls = yes
smtpd_tls_received_header = yes
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_CAfile = /etc/ssl/roundcube/sub.class1.server.ca.crt
Also in the apache2 vhost roundcube.conf
SSLProtocol all -SSLv2
and to finish it, dovecot.conf
ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key
Restarted all services and did an ipsconfig php -q update.php to integrate all this.
I also "frankansteined" my 2 DNS servers to be integrated with ISPConfig. I always read that we should start with a clean ISPConfig installation :) ... no, that's 2 easy :)
The reason was that my NS1 also had cacti and nagios3 running, and I wanted to keep all the hosts configuration and databases for them.
went smooth... Right now I already have them beautifully integrated as master and slave NS's in ISPconfig keeping my cacti and nagios.
Also added DNSSEC to both servers, you guys have no dnssec integration нн
Today or tomorrow will integrate the webserver + database server to the ISPConfig setup.
Could have done this already, I already have "the" webserver running and it's my crown jewel. Apache2 and mysql are tweaked to perfection with 100ms response times, 2/3 seconds total page load times for heavy Joomla / Jomsocial websites... over WAN. This one will not be a clean ISPConfig install :)
Later this week will start testing openvz server integrated into ISPConfig3, very familiar with VM's like sphere and virtualbox but never used openvz before. The only thing I like about openvz is the fact that it is "open", and that's about it... the project seems stalled or dead and it's officially the slowest virtual machines in the world. Google says so.
If I'm not happy with it, as a future project might pull a stunt and develop a module to integrate virtualbox into ISPConfig. Virtualbox is free and as good support and runs on all sorts of hosts, each vmachine as an individual identifier, good control over cores/ram/eth, etc. and it's fast.
Some people are happy if it runs, I'm only happy went it's fast and the error log shows 0 entries...
webserver and database
Today was the big day to "Frankenstein" my beautiful webserver and integrate another server into ispconfig. This server as double function of webserver and database server.
Well, it went fine, just took me a hour to figure out how ispconfig stores things like the vhosts and the www root directories.
Needed to do some apache2.conf changes, my conf file was more restricted and each host had a directory line with root location and include sites-enabled. My mysql conf was kept pretty much the same with my tweaked settings, with exception for commenting out "only respond on the interface 127.0.0.1.".
Yeah, did not understand at first in ispconfig add website what settings to use for php... but a quick look in this excellent forum gave me the answer for Joomla websites, SUexe and phpfcgi. Not mod-php.
Webserver Databases went without issues with phpmyadmin, did have to change the control panel ispconfig to when pressing the database button to open the webserver phpmyadmin and not the control panel phpmyadmin that I previously looked with .htaccess to my lan. The webserver phpmyadmin responds over WAN.
Testing the websites performance with apache2 benchmark and webpagetest, gave me a few nano seconds more, not happy but those nano's will save hours of website work. So, it's an OK compromise. msqltunner benchmark reported no changes in mysql... as expected since my.cnf is the same.
Tomorrow will test FTP and add 1 godady SSL and 2 STARTSSL certificates to 3 of the websites, responding on the same WAN IP but using different ports (got to love the facebook applications, must have ssl). More fun.
p.s. after deletion, ISPConfig seems to leave some settings behind in the database. Haven't investigate this yet, but user groups from deleted users still show up and after deleting a website ispconfig did not regenerate the website folder:
/web11/ deleted website
/web12/ it should be 11, so there's a gap between 10 and 12.
Could you please also post the changes you made to add dnssec support?
Plenty of tutorials for bind9 and dnssec.
Maybe you should ask ispconfig3 developers what files / master templates need to be hacked in order to maintain intact your dnssec txt records.
|All times are GMT +2. The time now is 02:32.|
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.