The Perfect Setup - Debian Sarge (3.1)

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Wed, 2005-03-30 20:14. :: Debian | ISPConfig

This is a "copy & paste" HowTo! The easiest way to follow this tutorial is to use a command line client/SSH client (like PuTTY for Windows) and simply copy and paste the commands (except where you have to provide own information like IP addresses, hostnames, passwords,...). This helps to avoid typos.

The Perfect Setup - Debian Sarge (3.1)

Version 1.9
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 12/01/2006

This is a detailed description about the steps to be taken to setup a Debian based server (Debian Sarge alias Debian 3.1) that offers all services needed by ISPs and hosters (web server (SSL-capable), mail server (with SMTP-AUTH and TLS!), DNS server, FTP server, MySQL server, POP3/POP3s/IMAP/IMAPs, Quota, Firewall, etc.).

I will use the following software:

  • Web Server: Apache 2.0.x
  • Mail Server: Postfix (easier to configure than sendmail; has a shorter history of security holes than sendmail)
  • DNS Server: BIND9
  • FTP Server: proftpd
  • POP3/POP3s/IMAP/IMAPs: in this example you can choose between the traditional UNIX mailbox format (we then use ipopd/uw-imapd) or the Maildir format (in this case we will use Courier-POP3/Courier-IMAP).
  • Webalizer for web site statistics

In the end you should have a system that works reliably and is ready for the free webhosting control panel ISPConfig (i.e., ISPConfig runs on it out of the box).

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

Requirements

To install such a system you will need the following:

1 The Base System

Insert your Sarge Netinstall CD into your system and boot from it (enter linux26 at the boot prompt to install a 2.6 kernel). The installation starts, and first you have to choose your language:

Select your country:

Choose a keyboard layout:

The hardware detection starts:

Enter the hostname. In this example, my system is called server1.example.com, so I enter server1:

Enter your domain name. In this example, this is example.com:

Now you have to partition your hard disk. I will create one big partition (with the mount point /) and a little swap partition:


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Anonymous (not registered) on Thu, 2006-06-08 22:22.
they have a newer release of this download, and the link up there no longer works, here's an updated link http://ftp.de.debian.org/debian-cd/3.1_r2/i386/iso-cd/debian-31r2-i386-netinst.iso .... im currently downloading it and following this guide, thank you
Submitted by Anonymous (not registered) on Thu, 2006-06-08 21:13.

sorry for a stupid question, but whats the adress to the mail servers after this install?

thx for the guide

tomas

Submitted by Anonymous (not registered) on Sat, 2006-03-18 02:07.

My first debian server setup and all went fantastically well.

Thank you

Submitted by Anonymous (not registered) on Wed, 2006-02-22 23:40.
Don't put a general purpose Web server in one big partition! Consider disaster recovery. If you get rooted, you might want to replace root and /usr but leave /var. To avoid getting rooted, you might want to mount noexec any directory Apache can write in. Make a partition for /tmp, /var/tmp, Squirrel Mail's data, Mambo's data, /var/log/apache, etc.

Over time your users will install badly written PHP applications and they will get exploited by worms and skript kiddies. The exploits will write spam-mailers and attack programs in /tmp but they won't run. It won't stop a determined attacker, but the kiddies will move on to lower-hanging fruit.

Submitted by Anonymous (not registered) on Sat, 2006-01-07 22:51.

Should not be:

update-rc.d -f exim4 remove

just instead of

update-rc.d -f exim remove ?

-----------------

Nice HowTo anyway!

zBit

Submitted by Anonymous (not registered) on Mon, 2006-02-13 02:19.
Thanks for the tutorial. I installed ispconfig after. Everthing went perfect.
Submitted by Anonymous (not registered) on Fri, 2005-11-18 20:28.
I have installed Debian Sarge 3.1 per this howto. I want to use Frontpage Extensions on my ISPConfig server. I see that ISPConfig only supports Frontpage with Apache 1.3. This howto uses Apache2. I was able to install Frontpage on the system for Apache2, but I don't know if ISPConfig will be able to use the extensions.
Submitted by Anonymous (not registered) on Mon, 2005-11-14 10:04.

Harddisks are written to from outside to the inside, that is why they are faster on the first sectors than they are on the last sectors (~30%).

So I always put my swap partitions at the start of the harddisks (if I have multiple disks one swap partition at the start of each).

Nagium.

Submitted by Anonymous (not registered) on Sun, 2005-10-23 09:36.

AFAIK, default Debian behaviour is to also install recommended packages after (apt-get install ...). Is it necessary to also install these packages, or the ones that were mentioned here are enough?

The reason why I'm asking is because I am trying to make na minimum install of Debian 3.1

Submitted by Anonymous (not registered) on Sun, 2006-03-26 23:02.
No, per default debian (sarge) does not install recommended packages. Only the must-dependecies are installed per default. For a minimum install, you could try download the netinst-cd-image from www.debian.org Greez, Tino
Submitted by Anonymous (not registered) on Sat, 2006-03-04 04:16.

Here is a "production" server debian on a P1 -133 MHz-

full ram 188 mb, dhcp, dns, apache, ftp, nis ...

but not realy optimized for minimal packages.

~#df -h
Filesystem Size Used Avail Use% Mounted on
/dev/hda1 897M 658M 192M 78% /
tmpfs 94M 0 94M 0% /dev/shm

~#uptime
04:30:51 up 45 days, 9:12, 1 user, load average: 0.00, 0.00, 0.00

btw install "localepurge" for free disk(s).

Nice HowTo. Thanks

Submitted by admin (registered user) on Sun, 2005-10-23 12:29.
No, Debian doesn't install recommended packages by default, only necessary packages. So if you want to have a minimum installation, don't install the recommended packages.
Submitted by Anonymous (not registered) on Mon, 2005-10-10 03:10.
Noticed there's no firewall setup in this tutorial. You should have included an iptables setup, otherwise the server will be wide open to attack.
Submitted by admin (registered user) on Mon, 2005-10-10 08:21.
Thats not correct. The Howto prepares the system for the installation of ISPConfig and ISPConfig comes with the Bastille Firewall scripts that do the IPTables setup for you.
Submitted by Anonymous on Sun, 2005-09-11 18:05.

Thank you for your help so far.

Here is the exact message after typing in /etc/network/interfaces

-bash: /etc/netwok/interfaces: Permission denied

Submitted by Anonymous on Wed, 2005-09-14 19:52.

replace to root:

su -

pass

don

Submitted by Anonymous on Sun, 2005-09-11 14:07.

I am following your tutorial exactly except instead of using test server1 just using the suggested defaults.

When I try to edit the /etc/network/interfaces I get a response of permission denied. Any help is appreciated.

Thanks,

David

Submitted by Anonymous (not registered) on Wed, 2009-06-24 22:02.
You are editing the file as a standard user. You need to be user root. Try to run the command su and then your command.
Submitted by Anonymous on Sun, 2005-09-11 18:39.

Please use the forums to get this solved:

http://www.howtoforge.com/forums

Submitted by Anonymous on Sun, 2005-09-11 15:48.
Are you shure you are logged in as root? The root user is able to edit every file.
Submitted by Anonymous on Sun, 2005-09-11 17:07.
Going to reload debiun again. Also am using the tutorial from http://www.aboutdebian.com/linux.htm with yours and seems things both ways are acting up. I like this layout better however if you could email me or message me if you have jabber, icq or any messanger program or just email dranieri@suscom.net this would be great. Myself and my wife "secretary" does everything is trying with me to learn this and get certified since I am really beginning to hate microsofts greed. Trust us we are microsoft partners but with no linux as an alternative it is hurting our business.
Submitted by Anonymous on Sun, 2005-09-11 17:00.
Yes I am positive we are logged in as root. when running command whoami it comes back with root. We have our own domain name registered and hosted with another hosting service and just want to put our company website on this machine here at the office to learn.
Submitted by Anonymous on Sun, 2005-09-18 04:28.

You need to edit the file.

say something like

vi /etc/network/interfaces

Submitted by Anonymous on Fri, 2005-09-09 18:42.

hello all

I have a problem
when i running mysql is writer error: can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)'

chack that mysqld is running and that the socket: '/var/run/mysqld/mysqld.sock' exists!

how can I affixed this?

don

Submitted by Anonymous (not registered) on Sun, 2006-04-30 09:15.

I had the same problem a few days ago after crashing an Alternc installation. The solution is to check your logs under /var/log/syslog to see that there is no write access to temp folder /tmp. Just do a "chmod 777 /tmp" and restart mysql "/etc/init.d/mysql restart".

But with such kind of an error i guess you have a big trouble on your server, think for a complete reinstallation...

Submitted by Anonymous on Fri, 2005-09-02 11:54.

Hi!

My name is Andrew. I have lived in Hungary and I want to tell you that many people using Debian Linux in Hungary. I am working at a bank as IT system programmers.

I have never seen such an egzakt and good tutorial as yours. Thank you for helping and congratulations !

Submitted by Anonymous on Wed, 2005-08-31 12:28.
My first time and succes... Thank you , thank you, thank you.....god work
Submitted by Anonymous on Sun, 2005-08-28 22:04.

When doing apt-get for this part I get the following error, any idea?

Setting up ipopd (2002edebian1-11) ...
/var/lib/dpkg/info/ipopd.postinst: line 75: /dev/stderr: Permission denied
dpkg: error processing ipopd (--configure):
subprocess post-installation script returned error exit status 1
dpkg: dependency problems prevent configuration of ipopd-ssl:
ipopd-ssl depends on ipopd (>= 4:2002.rc7debian); however:
Package ipopd is not configured yet.
dpkg: error processing ipopd-ssl (--configure):
dependency problems - leaving unconfigured
Errors were encountered while processing:
ipopd
ipopd-ssl
E: Sub-process /usr/bin/dpkg returned an error code (1)

Thank you

Submitted by Anonymous on Sun, 2005-08-28 22:13.
Changing the /dev/stderr in line 75 of /dev/stderr to &2

fixed the problem.

Hope it might help anyone else.

Submitted by Anonymous on Mon, 2005-08-22 23:20.

While ISPConfig has the potential to be a decent remote management tool, it suffers horribly from mangling Bind9 zone files. MAKE SURE you run named-checkconf and named-checkzone BEFORE using its Bind configuration, as the zone files are horribly mangled (who puts blank lines in their zone files? Bind and its documentation strictly forbid it).

Submitted by Anonymous on Mon, 2005-08-22 20:26.

Also be forewarned, if you are using NIS authentication, you will have to manually edit /etc/passwd and /etc/group because ISPConfig does not handle this properly.

Submitted by Anonymous on Mon, 2005-08-22 16:45.

Obviously the issues of quota formats 1 and 2 were sidestepped, that can be tricky (depends mostly on your kernel version).... And the issue of XFS and quotas.

WARNING: If XFS is the filesystem you enable quotas for, the above simply will not work in sarge-3.1 with a 2.6.n kernel. Although I still have no idea what does work, I am still researching this issue.

Submitted by Anonymous on Mon, 2005-08-22 02:31.

Good idea to create something like this for the average user.

It should be noted however that ISPConfig 2.0.7 does not correctly identify the Etch testing branch (Etch is the testing and unstable branches after Sarge stable was released).

Submitted by Anonymous on Mon, 2005-08-01 04:20.
Great, great, great how-to. For non-guru Debian users, a lot more how-to's like this are needed and welcome. I'm guessing and hoping now that Sarge is in stable, we're going to see a lot more of these how-to's.

I'm going to give this how-to a shot, and if it works well, I'll be sending the author a token of my appreciation. I have apache running, but gave up on bind and a mail server.

All I need now is a how-to this simple that shows how to configure OpenLDAP. Yast was a great gui tool for configuring servers and by copying the original config files prior to altering them with Yast, then comparing the original with the Yast modified config files, one could learn exactly how to configure servers manually. Too bad that a fully functioning Yast isn't yet available on Debian, although I'm aware of efforts on porting Yast to Debian now that it has been GPL'd. If the author or someone else could make configuring OpenLDAP as easy as this how-to, then life would really be complete.

Question: If Exim exists on an apache server, but is used only for internal mail delivery (notices, error messages to root, etc.), and then Postfix is installed and Exim removed, will the error messages and notices and other internal mail continue to be delivered? I seem to remember a few years back when I removed the default mail server (possibly Exim) and installed Postfix in its place, I remember it fouling up local mail deliver (error messages, notices, cron messages, etc.). Is there any precautions to take when removing the existing mail server to replace it with Postfix?
Submitted by Anonymous on Thu, 2005-07-28 06:41.
I am new to this whole thing, but I followed this tutorial to set up a server, and the installation of ISPConfig was doing just fine until the very end when it checks to see if all the packages are installed. I get the following error -- can anyone help? "ERROR: The syntax of your httpd.conf is not ok! Please correct the error. The installation routine stops here!" If anyone can help, I'd very much appreciate it. Much obliged.
Submitted by Anonymous on Thu, 2005-05-12 11:12.
I have added the line in /ect/apt/sources.list. But i cant install apt-get install libapache2-mod-php4 libapache2-mod-perl2 php4 php4-cli php4-common php4-curl php4-dev php4-domxml php4-gd php4-imap php4-ldap php4-mcal php4-mhash php4-mysql php4-odbc php4-pear php4-xslt curl libwww-perl imagemagick I get this error : mainframe:/etc/postfix/ssl# apt-get install libapache2-mod-php4 libapache2-mod-perl2 php4 php4-cli php4-common php4-curl php4-dev php4-domxml php4-gd php4-imap php4-ldap php4-mcal php4-mhash php4-mysql php4-odbc php4-pear php4-xslt curl libwww-perl imagemagick Reading Package Lists... Done Building Dependency Tree... Done Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation: The following packages have unmet dependencies: libapache2-mod-php4: Depends: php4-common (= 4:4.3.10-13) but 4:4.3.11-0.dotdeb.0 is to be installed php4-imap: Depends: libc-client-ssl2001 but it is not installable E: Broken packages mainframe:/etc/postfix/ssl# What do i need to do?
Submitted by Anonymous on Fri, 2005-05-13 11:11.

Remove the dotdeb line from /etc/apt/sources.list, run "apt-get update" and try installing again.

Falko

Submitted by Anonymous on Thu, 2005-05-05 10:46.

There's no need for creating a dev/log socket in the bind9 chroot environment and modifying sysklogd to listen on that too.

bind9 opens /dev/log (the one outside the chroot) before calling chroot(2) => Logging still works over that socket from the chroot environement.
See http://cryptio.net/~ferlatte/blog/2004/10/01/#syslog_and_chroot for more info.

That site also has a nice chroot implementation for bind9 on debian: http://cryptio.net/~ferlatte/blog/config/

Submitted by Anonymous on Thu, 2005-05-05 09:11.

"In order to install Postfix with SMTP-AUTH and TLS as well as a POP3 server that also does POP3s (port 995) and an IMAP server that is also capable of IMAPs (port 993) do the following steps:

apt-get install postfix postfix-tls sasl-bin libsasl-modules-plain libsasl2 sasl2-bin libsasl2-modules ipopd-ssl uw-imapd-ssl"

When I'm doing this I get:

# apt-get install postfix postfix-tls sasl-bin libsasl-modules-plain libsasl2 sasl2-bin libsasl2-modules ipopd-ssl uw-imapd-ssl
Reading Package Lists... Done
Building Dependency Tree... Done
E: Couldn't find package sasl-bin

Any ideas anyone

Submitted by Anonymous on Thu, 2005-05-05 17:03.

Maybe the package names have changed due to the upcoming final release of Debian Sarge.

Run

apt-cache search sasl

to find all packages related to SASL, and install them.

Submitted by Anonymous on Mon, 2005-08-08 13:06.
with sarge 3.1, you have to apt-get install sasl2-bin greetings lasseboo
Submitted by Anonymous on Tue, 2005-05-03 16:07.
I recommend rewriting this article to address the issues other users have commented on. You should also make a plaintext authenticated smarthost example for properly relaying mail to an isps server. I know a lot of people, including myself, that have found it exhasting to find a howto as good as yours, but it lacks that crucial part in which I need. Thank you.
Submitted by Anonymous on Tue, 2005-05-03 12:16.
IMHO ntpdate from ntp package is better than rdate for time sync...
Submitted by Anonymous on Tue, 2005-05-03 09:18.

Nice article. A few things:

  1. You need to fix some permissions. Root is world readable by default, so are users home dirs.
  2. (also mentioned above) Why the packages from debdot?
  3. I don't think Sarge comes with SSH installed by default
  4. ProFTPD? Euck. vsftpd is safer for (the most) cases which don't need the extra functionality.
  5. Your postfix config is a little lax on hostnames (do they exist, etc)
Submitted by Anonymous on Wed, 2005-05-04 10:32.
AFAIK, vsftpd lets you create only one anonymous account per server instead of one per IP address (as ProFTPd does). That's a little drawback.
Submitted by Anonymous on Fri, 2005-04-29 16:01.

In addition to your howto very nice, but why use apache2 from debdot and not the debian mirrors.

Debian Sarge 3.1 ( testing ) includes apache2

Same for the install HTML::Parser ( apt-get install libhtml-parser-perl )
and the others..

Submitted by Anonymous on Wed, 2005-05-18 19:34.

i'm getting dependency errors for postfix-tls.
postfix-tls: Depends: postfix (= 2.1.5-9)

However, I have postfix 2.2.3-2

Submitted by Anonymous on Fri, 2005-07-29 11:22.
Because Postfix 2.2.x includes TLS support and you don't need postifix-tls package.
Submitted by Anonymous (not registered) on Wed, 2005-11-09 03:01.

Experts,

Please pardon my ignorance. But what is an ISP Server (ISPConfig)?

I am trying to setup a linux server (Debian) at my home so that i can host web-pages (web-site), mail server, etc.

So Do I need to setup according to ISP server docs.?

please help me out!.

thanks

Submitted by admin (registered user) on Wed, 2005-11-09 11:26.

It's a server for hosting web sites, handling email, FTP, ...

Seems to be what you're looking for. :-)