The Perfect Server - Debian Squeeze (Debian 6.0) With BIND & Dovecot [ISPConfig 3] - Page 4

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Tue, 2011-08-09 17:49. ::

10 Install Postfix, Dovecot, Saslauthd, MySQL, phpMyAdmin, rkhunter, binutils

We can install Postfix, Dovecot, Saslauthd, MySQL, phpMyAdmin, rkhunter, and binutils with a single command:

apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d sudo

You will be asked the following questions:

General type of mail configuration: <-- Internet Site
System mail name: <-- server1.example.com
New password for the MySQL "root" user: <-- yourrootsqlpassword
Repeat password for the MySQL "root" user: <-- yourrootsqlpassword

Next open the TLS/SSL and submission ports in Postfix:

vi /etc/postfix/master.cf

Uncomment the submission and smtps sections (leave -o milter_macro_daemon_name=ORIGINATING as we don't need it):

[...]
submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
[...]

Restart Postfix afterwards:

/etc/init.d/postfix restart

We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:

vi /etc/mysql/my.cnf

[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           = 127.0.0.1
[...]

Then we restart MySQL:

/etc/init.d/mysql restart

Now check that networking is enabled. Run

netstat -tap | grep mysql

The output should look like this:

root@server1:~# netstat -tap | grep mysql
tcp        0      0 *:mysql                 *:*                     LISTEN      10617/mysqld
root@server1:~#

 

11 Install Amavisd-new, SpamAssassin, And Clamav

To install amavisd-new, SpamAssassin, and ClamAV, we run

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl

The ISPConfig 3 setup uses amavisd which loads the SpamAssassin filter library internally, so we can stop SpamAssassin to free up some RAM:

/etc/init.d/spamassassin stop
update-rc.d -f spamassassin remove

 

12 Install Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, And mcrypt

Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, and mcrypt can be installed as follows:

apt-get install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-curl php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-ruby libapache2-mod-python libapache2-mod-perl2

You will see the following questions:

Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No

Then run the following command to enable the Apache modules suexec, rewrite, ssl, actions, and include (plus dav, dav_fs, and auth_digest if you want to use WebDAV):

a2enmod suexec rewrite ssl actions include
a2enmod dav_fs dav auth_digest

Restart Apache afterwards:

/etc/init.d/apache2 restart

 

13 Install PureFTPd And Quota

PureFTPd and quota can be installed with the following command:

apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool

Edit the file /etc/default/pure-ftpd-common...

vi /etc/default/pure-ftpd-common

... and make sure the start mode is set to standalone and set VIRTUALCHROOT=true:

[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]

Edit the file /etc/inetd.conf to prevent inetd from trying to start ftp:

vi /etc/inetd.conf

If there is a line beginning withftp stream tcp, comment it out (if there's no such file, then that is fine, and you don't have to modify /etc/inetd.conf):

[...]
#:STANDARD: These are standard services.
#ftp    stream  tcp     nowait  root    /usr/sbin/tcpd /usr/sbin/pure-ftpd-wrapper
[...]

If you had to modify /etc/inetd.conf, restart inetd now:

/etc/init.d/openbsd-inetd restart

Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure.

If you want to allow FTP and TLS sessions, run

echo 1 > /etc/pure-ftpd/conf/TLS

In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:

mkdir -p /etc/ssl/private/

Afterwards, we can generate the SSL certificate as follows:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]:
<-- Enter your State or Province Name.
Locality Name (eg, city) []:
<-- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
<-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []:
<-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []:
<-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
Email Address []:
<-- Enter your Email Address.

Change the permissions of the SSL certificate:

chmod 600 /etc/ssl/private/pure-ftpd.pem

Then restart PureFTPd:

/etc/init.d/pure-ftpd-mysql restart

Edit /etc/fstab. Mine looks like this (I added ,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 to the partition with the mount point /):

vi /etc/fstab

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0
# / was on /dev/sda1 during installation
UUID=92bceda2-5ae4-4e3a-8748-b14da48fb297 /               ext3    errors=remount-ro,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 0       1
# swap was on /dev/sda5 during installation
UUID=e24b3e9e-095c-4b49-af27-6363a4b7d094 none            swap    sw              0       0
/dev/scd0       /media/cdrom0   udf,iso9660 user,noauto     0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto  0       0

To enable quota, run these commands:

mount -o remount /

quotacheck -avugm
quotaon -avug

 

14 Install BIND DNS Server

BIND can be installed as follows:

apt-get install bind9 dnsutils

 

15 Install Vlogger, Webalizer, And AWstats

Vlogger, webalizer, and AWstats can be installed as follows:

apt-get install vlogger webalizer awstats geoip-database

Open /etc/cron.d/awstats afterwards...

vi /etc/cron.d/awstats

... and comment out both cron jobs in that file:

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh
# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh

 

16 Install Jailkit

Jailkit is needed only if you want to chroot SSH users. It can be installed as follows (important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!):

apt-get install build-essential autoconf automake1.9 libtool flex bison debhelper

cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.14.tar.gz
tar xvfz jailkit-2.14.tar.gz
cd jailkit-2.14
./debian/rules binary
cd ..
dpkg -i jailkit_2.14-1_*.deb
rm -rf jailkit-2.14*


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by suther (not registered) on Mon, 2013-05-06 20:47.
On my Proxmox VM, i only have one comment in fstab:

# UNCONFIGURED FSTAB FOR BASE SYSTEM

Even if i activate Quota for Proxmox-system like this: 7

vzctl set 101 --quotaugidlimit 100 --save

vzctl restart 101

fstab is still empty. How can i got quotas installed?

Submitted by suther (not registered) on Mon, 2013-05-06 20:02.


Why you use open Ports for Mysql. I only allow it from localhost, or if a user has ssh-access, he can tunnel mysql to local port.

With gSTM on linux its easy like 1 2 3

 

 

Submitted by Aleksandar (not registered) on Sun, 2013-02-10 19:04.

On my installation phpmyadmin wasn't accessible from url so i used method similar as you explained on last chapter how to add squirrelmail to link phpmyadmin to apache

 

 cd /etc/apache2/conf.d/
ln -s ../../phpmyadmin/apache.conf phpmyadmin.conf
/etc/init.d/apache2 reload

 phpmyadmin.conf was already configured so i just needed to link it.

Submitted by Anonymous (not registered) on Thu, 2012-12-20 05:56.
(Install on Wheezy/Debian 7)
Also had to install this:
apt-get install dovecot-mysql dovecot-sieve

Otherwise /var/log/mailerr had lines like this:
dovecot: auth: Fatal: Unknown database driver 'mysql'
dovecot: lda: Fatal: Plugin 'sieve' not found from directory /usr/lib/dovecot/modules

Submitted by Anonymous (not registered) on Thu, 2012-12-06 20:03.

In Debian 6;

You'll run into AUTH problems if you uncomment ( -o smtpd_tls_security_level=encrypt) if you follow the instructions (force TLS). It should be as follows:

In: /etc/postfix/master.cf

smtp      inet  n       -       -       -       -       smtpd
submission inet n       -       -       -       -       smtpd
#  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
Submitted by Dr. Yves Kreis (not registered) on Sun, 2012-10-28 20:03.
Also check chapter 14 of Ubuntu 12.10 The Perfect Server for additional information regarding Apache & php (especially with ISPConfig 3.0.5 which will be released soon): http://www.howtoforge.com/perfect-server-ubuntu-12.10-apache2-bind-dovecot-ispconfig-3-p4
Submitted by Anonymous (not registered) on Tue, 2012-09-04 15:05.
You may also need to add dovecot-mysql to your apt-get list.
Submitted by Dr. Yves Kreis (not registered) on Mon, 2012-10-15 15:54.
There is no package dovecot-mysql in Debian Squeeze!
Submitted by contrail (not registered) on Thu, 2012-07-26 01:54.

System set up on a VPS. Could not send email. The default setting,  for inet_interfaces in the config file  in   /etc/postfix/main.cf   is   loopback-only.   In order to use the server as an outgoing email server set the line to,  inet_interfaces = all       then restart server.

 

Submitted by Dr. Yves Kreis (not registered) on Mon, 2012-10-15 15:56.
The default setting on Debian Squeeze is already inet_interfaces = all!
Submitted by bikercho (not registered) on Fri, 2012-05-25 18:28.
To enable quota, run these commands:

touch /aquota.user /aquota.group
chmod 600 /aquota.*

mount -o remount /

Submitted by Dr. Yves Kreis (not registered) on Mon, 2012-10-15 16:07.

This command quotacheck -avugm creates the two files. Thus you do not need to create them on your own...

Submitted by PsiTrax (registered user) on Thu, 2012-04-05 17:05.
I got some warnings while installing Jailkit

insserv: warning: script 'K01jailkit' missing LSB tags and overrides
insserv: warning: script 'jailkit' missing LSB tags and overrides

so i added the the init.d-config-comment to /etc/init.d/jailkit
 
### BEGIN INIT INFO
# Provides:          jailkit
# Required-Start:    $syslog
# Required-Stop:     $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: jailkit init
# Description:
#
### END INIT INFO

 
 
Submitted by Imam86 (not registered) on Wed, 2012-08-01 01:51.
07-06-2012: Jailkit 2.15 released

They resolved the issues:

insserv: warning: script 'K01jailkit' missing LSB tags and overrides
insserv: warning: script 'jailkit' missing LSB tags and overrides

So the revision:

cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.15.tar.gz
tar xvfz jailkit-2.15.tar.gz
cd jailkit-2.15
./debian/rules binary

cd ..
dpkg -i jailkit_2.15-1_*.deb
rm -rf jailkit-2.15*