The Perfect Server - Ubuntu 11.10 [ISPConfig 3] - Page 4

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Fri, 2011-10-14 14:20. ::

12 Install Postfix, Courier, Saslauthd, MySQL, rkhunter, binutils

We can install Postfix, Courier, Saslauthd, MySQL, rkhunter, and binutils with a single command:

apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server courier-authdaemon courier-authlib-mysql courier-pop courier-pop-ssl courier-imap courier-imap-ssl libsasl2-2 libsasl2-modules libsasl2-modules-sql sasl2-bin libpam-mysql openssl getmail4 rkhunter binutils maildrop

You will be asked the following questions:

New password for the MySQL "root" user: <-- yourrootsqlpassword
Repeat password for the MySQL "root" user: <-- yourrootsqlpassword
Create directories for web-based administration? <-- No
General type of mail configuration: <-- Internet Site
System mail name: <-- server1.example.com
SSL certificate required <-- Ok

If you find out (later after you have configured your first email account in ISPConfig) that you cannot send emails and get the following error in /var/log/mail.log...

SASL LOGIN authentication failed: no mechanism available

... please go to http://www.howtoforge.com/forums/showpost.php?p=265831&postcount=25 to learn how to resolve the issue.

We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:

vi /etc/mysql/my.cnf

[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           = 127.0.0.1
[...]

Then we restart MySQL:

/etc/init.d/mysql restart

Now check that networking is enabled. Run

netstat -tap | grep mysql

The output should look like this:

root@server1:~# netstat -tap | grep mysql
tcp        0      0 *:mysql                 *:*                     LISTEN      22355/mysqld
root@server1:~#

During the installation, the SSL certificates for IMAP-SSL and POP3-SSL are created with the hostname localhost. To change this to the correct hostname (server1.example.com in this tutorial), delete the certificates...

cd /etc/courier
rm -f /etc/courier/imapd.pem
rm -f /etc/courier/pop3d.pem

... and modify the following two files; replace CN=localhost with CN=server1.example.com (you can also modify the other values, if necessary):

vi /etc/courier/imapd.cnf

[...]
CN=server1.example.com
[...]

vi /etc/courier/pop3d.cnf

[...]
CN=server1.example.com
[...]

Then recreate the certificates...

mkimapdcert
mkpop3dcert

... and restart Courier-IMAP-SSL and Courier-POP3-SSL:

/etc/init.d/courier-imap-ssl restart
/etc/init.d/courier-pop-ssl restart

 

13 Install Amavisd-new, SpamAssassin, And Clamav

To install amavisd-new, SpamAssassin, and ClamAV, we run

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl

The ISPConfig 3 setup uses amavisd which loads the SpamAssassin filter library internally, so we can stop SpamAssassin to free up some RAM:

/etc/init.d/spamassassin stop
update-rc.d -f spamassassin remove

 

14 Install Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, And mcrypt

Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, and mcrypt can be installed as follows:

apt-get install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-ruby

You will see the following question:

Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No

Then run the following command to enable the Apache modules suexec, rewrite, ssl, actions, and include (plus dav, dav_fs, and auth_digest if you want to use WebDAV):

a2enmod suexec rewrite ssl actions include

a2enmod dav_fs dav auth_digest

Restart Apache afterwards:

/etc/init.d/apache2 restart

If you want to host Ruby files with the extension .rb on your web sites created through ISPConfig, you must comment out the line application/x-ruby rb in /etc/mime.types:

vi /etc/mime.types

[...]
#application/x-ruby                             rb
[...]

(This is needed only for .rb files; Ruby files with the extension .rbx work out of the box.)

Restart Apache afterwards:

/etc/init.d/apache2 restart

 

15 Install PureFTPd And Quota

PureFTPd and quota can be installed with the following command:

apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool

Edit the file /etc/default/pure-ftpd-common...

vi /etc/default/pure-ftpd-common

... and make sure that the start mode is set to standalone and set VIRTUALCHROOT=true:

[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]

Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure.

If you want to allow FTP and TLS sessions, run

echo 1 > /etc/pure-ftpd/conf/TLS

In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:

mkdir -p /etc/ssl/private/

Afterwards, we can generate the SSL certificate as follows:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]:
<-- Enter your State or Province Name.
Locality Name (eg, city) []:
<-- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
<-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []:
<-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []:
<-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
Email Address []:
<-- Enter your Email Address.

Change the permissions of the SSL certificate:

chmod 600 /etc/ssl/private/pure-ftpd.pem

Then restart PureFTPd:

/etc/init.d/pure-ftpd-mysql restart

Edit /etc/fstab. Mine looks like this (I added ,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 to the partition with the mount point /):

vi /etc/fstab

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    nodev,noexec,nosuid 0       0
/dev/mapper/server1-root /               ext4    errors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0       1
# /boot was on /dev/sda1 during installation
UUID=6fbce377-c3d6-4eb3-8299-88797d4ad18d /boot           ext2    defaults        0       2
/dev/mapper/server1-swap_1 none            swap    sw              0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto,exec,utf8 0       0

To enable quota, run these commands:

mount -o remount /

quotacheck -avugm
quotaon -avug

 

16 Install BIND DNS Server

BIND can be installed as follows:

apt-get install bind9 dnsutils

 

17 Install Vlogger, Webalizer, And AWstats

Vlogger, webalizer, and AWstats can be installed as follows:

apt-get install vlogger webalizer awstats geoip-database

Open /etc/cron.d/awstats afterwards...

vi /etc/cron.d/awstats

... and comment out both cron jobs in that file:

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh
# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh

 

18 Install Jailkit

Jailkit is needed only if you want to chroot SSH users. It can be installed as follows (important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!):

apt-get install build-essential autoconf automake1.9 libtool flex bison debhelper

cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.14.tar.gz
tar xvfz jailkit-2.14.tar.gz
cd jailkit-2.14
./debian/rules binary

If the last command gives you an error like...

x86_64-linux-gnu-gcc -lpthread -o jk_socketd jk_socketd.o jk_lib.o utils.o iniparser.o
jk_socketd.o: In function `main':
/tmp/jailkit-2.14/src/jk_socketd.c:474: undefined reference to `pthread_create'
collect2: ld returned 1 exit status
make[2]: *** [jk_socketd] Error 1
make[2]: Leaving directory `/tmp/jailkit-2.14/src'
make[1]: *** [all] Error 2
make[1]: Leaving directory `/tmp/jailkit-2.14'
make: *** [build-arch-stamp] Error 2
root@server1:/tmp/jailkit-2.14#

... please install gcc-4.4:

apt-get install gcc-4.4

Now take a look at /usr/bin/gcc:

ls -l /usr/bin/gcc*

/usr/bin/gcc should currently be a symlink to /usr/bin/gcc-4.6:

root@server1:/tmp/jailkit-2.14# ls -l /usr/bin/gcc*
lrwxrwxrwx 1 root root      7 2011-08-14 09:16 /usr/bin/gcc -> gcc-4.6
-rwxr-xr-x 1 root root 259232 2011-10-05 23:56 /usr/bin/gcc-4.4
-rwxr-xr-x 1 root root 349120 2011-09-16 16:31 /usr/bin/gcc-4.6
root@server1:/tmp/jailkit-2.14#

We change this now so that /usr/bin/gcc links to /usr/bin/gcc-4.4:

ln -sf /usr/bin/gcc-4.4 /usr/bin/gcc

Now build Jailkit as follows:

make clean
./configure
make
make clean
./debian/rules binary

If the ./debian/rules binary command doesn't give you an error this time, you can now install the Jailkit .deb package as follows:

cd ..
dpkg -i jailkit_2.14-1_*.deb
rm -rf jailkit-2.14*

Finally, we change the /usr/bin/gcc symlink so that it points to /usr/bin/gcc-4.6 again:

ln -sf /usr/bin/gcc-4.6 /usr/bin/gcc


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Anonymous (not registered) on Mon, 2013-04-22 09:54.

this link is not working anymore

 wget http://olivier.sessink.nl/jailkit/jailkit-2.14.tar.gz

Submitted by Fleck (not registered) on Wed, 2012-02-08 14:31.
if you get SASL LOGIN authentication failed: no mechanism available - DO NOT DOWNGRADE PACKAGES, you just need to update config files:

 in /etc/default/saslauthd check those params:
START=yes
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

notice that -r at the end, must have that, or login will not work using email as username!

 in /etc/postfix/sasl/smtpd.conf you need to change few lines and add one:
pwcheck_method: saslauthd
mech_list: plain login pam
allow_plaintext: true
auxprop_plugin: sql
sql_engine: mysql
sql_hostnames: 127.0.0.1
sql_user: ispconfig
sql_passwd: <removed>
sql_database: dbispconfig
sql_select: select password from mail_user where login = '%u' or login = '%u@%r'  this will allow to use smtp using custom login names (ISPConfig -> System -> Interface Config -> Mail -> checked "Allow custom login name"(using this mode you can't leave blank custom login name blank - looks like ISPConfig bug, but then simply, if you don't whant to use custom login name - enter email address one more time!))

if you don't want to use custom login names - you can use this line:
sql_select: select password from mail_user where login = '%u@%r'

Submitted by cg (not registered) on Fri, 2014-03-21 01:05.

Thxal for that help man!

 I remembered the change of "auxprop_plugin: mysql" to sql only, with the extra parameter "sql_engine"...

The final crack was to to change:

 sql_select: select password from mail_user where login = '%u@'

as it was in my old config files from squeeze to

sql_select: select password from mail_user where login = '%u@%r'.

I updated ISPConfig and Squeeze several times and it worked until the upgrade to wheezy. Whyever it did not happen before. But I can send mails again, so everything is fine - for now.

Again: Thx!

Submitted by Abhijit (not registered) on Fri, 2012-02-03 15:01.

The user quota setup  as described here does not work. When I try the following command

quotaon -avug

it fail complaining that the quota file not found. I tried creating the quota.user and aquota.user in the root dir to satisfy the command without much success.

 

Submitted by Anonymous (not registered) on Tue, 2012-02-07 21:54.

I had the same problem, the errors were referencing inability to find /dev/root. After searching around, I found this page which describes adding a symlink as follows:

 ln -s /dev/xvda /dev/root

Once I did that, the instructions here for quotas worked as expected. However, as noted on that page, the symlink goes away on reboot, so I just added that command to /etc/rc.local and it runs whenever the system reboots and everything works fine.

Submitted by bdab098 (registered user) on Mon, 2011-10-31 16:20.

solution for jailkit and for sasl auth

 1. jailkit

make distclean

 change all -lpthread to  -pthread in configure, src/config.h.in

./configure
make
make clean
./debian/rules binary

 

2. sasl auth - problem with "fatal: no SASL authentication mechanisms"

remove or comment two lines in main.cf

# smtpd_sasl_type = dovecot
# smtpd_sasl_path = private/auth
 

Please, check if it works. For me works.

Submitted by CSsab (registered user) on Thu, 2011-10-27 22:09.

At step 18 to avoid errors compiling jailkit install binutils-gold.

apt-get install build-essential autoconf automake1.9 libtool flex bison debhelper binutils-gold

Regards.

Submitted by oschelde (registered user) on Sun, 2011-10-16 14:08.

Going through this I get a comment like the following when I run a script in /etc/init.d

 Rather than invoking init scripts through /etc/init.d, use the service(8)

utility, e.g. service mysql restart


Since the script you are attempting to invoke has been converted to an

Upstart job, you may also use the stop(8) and then start(8) utilities,

e.g. stop mysql ; start mysql. The restart(8) utility is also available.

mysql stop/waiting