Comments on The Perfect Server - Debian 12 (Bookworm) with Apache, BIND, Dovecot, PureFTPD and ISPConfig 3.2

unrar package is not available for Debian 12, replace it with unrar-free.

The unrar package is available on Debian 12:

root@debian12:~# apt install unrar

Reading package lists... Done

Building dependency tree... Done

Reading state information... Done

unrar is already the newest version (1:6.2.6-1).

0 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.

thank you, works

roundcube doesn't work with this setup, error 403 appears. You have to change directory path in roundcobe.conf. Remove "public_html".

$ nano /etc/apache2/conf-available/roundcube.conf

# change "<Directory /var/lib/roundcube/public_html/>" to

<Directory /var/lib/roundcube/>

# reload apache2

$ systemctl reload apache2

Roundcube On debian 10 error 403 | Page 2 | Howtoforge - Linux Howtos and Tutorials

RoundCube on ISPConfig setups is used via port 8081, and it works fine there. The URL is https://server.yourdomain.tld:8081/webmail and this is also set as URL for the webmail button in ISPConfig GUI. You probably tried accessing RoundCube via a global alias, which is not used anymore on recent ISPConfig installations as it might cause security issues and will fail on secured websites.

Thanks. It works!

I have been steadily upgrading my (originally Debian 10 Buster) Server with sudo apt update  && sudo apt full-upgrade and it is happily still working 8-)

And add an alias line for the apache /webmail alias and one for /roundcube, you can add the line right at the beginning of the file:

Alias /roundcube /var/lib/roundcube/public_html

Alias /webmail /var/lib/roundcube/public_html

That's not the setup ISPConfig 3.2 is using, ISPConfig provides access to RoundCube on port 8081 and these aliases you added are not used on an ISPConfig system. But you are free of course to make a different custom setup and create any aliases you like, but be aware that the aliases you added will not work on websites secured by the website chroot function in ISPConfig.

Thanks a lot for the tutorial, I've just made a fresh installation on a new server and the process went smoothly. Just one note. To avoid the DEPRECATION warnings about apt-key, repository keys for Rspamd and GoAcess should be added like this:

wget -O - https://rspamd.com/apt-stable/gpg.key |tee /etc/apt/trusted.gpg.d/rspamd.ascwget -O - https://deb.goaccess.io/gnugpg.key |tee /etc/apt/trusted.gpg.d/goaccess.asc

Regarding the roundcube discussion, I'm used to host the webmail on https://mail.domain.com since it seems intuitive and practical (ssl certificate warnings aside). I'll try a couple of things later on but I'd love for ISPConfig to support wildcard certificates for these situations. I'm not really sure why it's more secure to just put roundcube on a different port (8081).

Using subdomains for webmail is fine and basically the same that the port 8081 vhost is doing. You don't even need a wildcard SSL cert for that, just create a website mail.domain.com and install a webmail client of your choice there, you can then add further subdomains to that website for additional domains that you host (up to max. 100 domains), the additional subdomains will get added to the SSL cert of that site automatically. The discussion you referred to is about port 8081 vs. global directory aliases and not about subdomains to access webmail.

In Step 7, the article states to answer no to unix socket authentication.  However, when I go to edit the /etc/mysql/debian.cnf file there is a comment/warning at the top that says:

"THIS FILE IS OBSOLETE, STOP USING IT IF POSSIBLE. This file exists only for backward compatability for tools that run '--defaults-file=/etc/mysql/debian.cnf' and have root level access to the local filesystem.  With those permissions one can run mariadb directly anyway thanks to unix socket authentication and hence this file is useless. THIS FILE WILL BE REMOVED IN A FUTURE DEBIAN RELEASE."So, should I re-run mysql_secure_installation and choose Yes for unix socket authentication?

> So, should I re-run mysql_secure_installation and choose Yes for unix socket authentication?

No. You should follow the tutorial if you plan to use this system to install ISPConfig on it.

I also noticed that Roundcube won't work on http://domain.com/webmail address unless you remove public_html/ on /etc/apache2/conf-available/roundcube.conf

Hi... I'm having trouble: Debian 12, installed ok. ISPConfig and its dependencies, everything is perfect https://www.thres.com.br:8080/ ok. http://www.thres.com.br/phpmyadmin/ ok. Normal access to everything, I just don't have access to webmail:www.thres.com.br/webmailwww.thres.com.br/roundcube All.... Forbidden You don't have permission to access this resource.

> webmail:www.thres.com.br/webmailwww.thres.com.br/roundcube All.... Forbidden You don't have permission to access this resource.

Webmail is installed in the apps vhost on port 8081, and you should use phpmyadmin through apps vhost as well for security reasons, so the URL is:

https://www.thres.com.br:8081/phpmyadminhttps://www.thres.com.br:8081/webmail

The easiest way to access apps on the correct port is using the buttons in ISPConfig for webmail and phpmyadmin access. These point to the right URL automatically.

Hello... Till I tried your suggestion, but only phpmyadmin worked: https://www.thres.com.br:8081/phpmyadmin/ But I can't access Webmail, it still shows, I did it using the button inside ISPConfig: Forbidden You don't have permission to access this resource. https://www.thres.com.br:8081/webmail

Thank you for this (almost) excellent tutorial :) When I try to access phpmyadmin I get a 404 error...How to do ? THANKS

Greetings.

make the hostname (domain) change

and now the ispconfig panel gives me a sertified error.

How can I renew the ispconfig panel certificate (Let's Encrypt)

or do I have to reinstall ISPCONFIG?

Thank you

Nice at last Rouncube on Debian 12.. But... I have some issues.

Point 1 and point 5 are the same lines and artikel.

Point 4 (hosts) why is the ip 192.168.0.100 and not 127.0.1.1

Point 7 by master.cf (important) ask for remove # in front of SMTPS, there isn't any.

and by debian.cf in MYSQL password (red lines) is there any spaces or marks between the characters.

Point 11 FTPD do Ineed to install that, I dont use any ftp anymore (to old)

Son than in Point 15 in jail.local I didn't insert the line with pure ftpd (because of point 11)

And when I'm finished and run a apt-get update && apt-get upgrade I see this line:

N: Ignoring file 'rspamd.list CODENAME=bookworm' in directory '/etc/apt/sources.list.d/' as it has an invalid filename extension

W: GPG error: https://rspamd.com/apt-stable bookworm InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY FFA232EDBF21E25E

E: The repository 'http://rspamd.com/apt-stable bookworm InRelease' is not signed.

N: Updating from such a repository can't be done securely, and is therefore disabled by default.

N: See apt-secure(8) manpage for repository creation and user configuration details.

W: GPG error: https://deb.goaccess.io bookworm InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 97BD1A0133449C3D

E: The repository 'https://deb.goaccess.io bookworm In Release' is not signed.

N: Updating from such a repository can't be done securely, and is therefore disabled by default.

N: See apt-secure(8) manpage for repository creation and user configuration details.

And when I'm in the program Rouncube and try to change setting I see SOAP error's.

Is there something I missed or is there a way to fix this.

And at last this is not a negatieve comment just try to get some info and learn something.

And Till I appreciate you're lots of work to do this.

Paul.

Thank you for the notice. I've updated the instructions to fix the missing key issue. I changed the wording regarding smtps, which is now named submissions, the config was fine in this regard already. I recommend you use the real IP of the server in the hosts file and not a localhost alias IP. If you are unsure if there are spaces in a file, just copy & paste the lines. And as mentioned in the tutorial, please always use the auto-installer on Debian 12.

Ok, i"m gone build that and test it.

Thanks...

last issue: after instal and do upgrade this is showing.

Configuration file '/etc/rspamd/rspamd.conf'

 ==> Modified (by you or by a script) since installation.

 ==> Package distributor has shipped an updated version.

   What would you like to do about it ?  Your options are:

    Y or I  : install the package maintainer's version

    N or O  : keep your currently-installed version

      D     : show the differences between the versions

      Z     : start a shell to examine the situation

 The default action is to keep your current version.

*** rspamd.conf (Y/I/N/O/D/Z) [default=N] ? 

Now what .... :-)

Paul.

I selected N and see what happend.

I still have trouble to get things running.

I keep the warning that my site is not to be trusted (NET::ERR_CERT_AUTHORITY_INVALID) I can't find where this is comming from.

And I try to get the server listing to mail.domain.com insted of mail.domain.com:8081/webmail

The other thing is for the roundcube plugin's you have to set to https://panel.example.com:8080 but what is panel how does this work....

Paul.

Please use the forum if you like to get help with your config problem: https://forum.howtoforge.com/#ispconfig-3.23

Installation on an external Debian 12 minimal server. 

In chapter 11 the following difficulty arises - how can I solve this:root@test:~# systemctl daemon-reloadroot@test:~# quotacheck -avugm

quotacheck: Your kernel probably supports ext4 quota feature but you are using external quota files. Please switch your filesystem to use ext4 quota feature as external quota files on ext4 are deprecated.

quotacheck: Check /dev/vda3 [/] donequotacheck: Cannot stat old user quota file //quota.user: File or directory not found. Usage will not be subtracted.quotacheck: Cannot stat old group quota file //quota.group: File or directory not found. Usage will not be subtracted.quotacheck: Cannot stat old user quota file //quota.user: File or directory not found. Usage will not be subtracted.quotacheck: Cannot stat old group quota file //quota.group: File or directory not found. Usage will not be subtracted.quotacheck: 6621 directories and 53315 files checked.quotacheck: Old file not found.quotacheck: Old file not found.

Thanks for the great work!

The post above (2023-10-23 16:27:10) is not relevant - ignore.Everything works fine.

Hello,

Did I read this correctly?  Ispconfig now runs on php8.2?

Yes, since we added support for Debian 12.

 asked to install cron. apt-get install cron

Hi, finish fresh install, but can't access to phpmyadmin. Apt reconfigure, note all steps in diferrent blue screen, but -phpmyadmin refuse to let me in. Add this in config.inc.php :  

-------

if (!empty($dbport) || $dbserver != 'localhost') {

        $cfg['Servers'][$i]['connect_type'] = 'tcp';

        $cfg['Servers'][$i]['port'] = $dbport;

    }

/* by custom trys */

$cfg['Servers'][$i]['user'] = 'phpmyadmin'; 

    $cfg['Servers'][$i]['password'] = 'mypassword'; /

}

----------

But still kicked me out.

Thanks, Till! Is Amavisd enabled on this server tutorial? From the ISPconfig control panel, I've changed the content filter for the email from Rspamd to Amavisd, and my email stopped working!

Amavis is no longer used in ISPConfig; it has been replaced by the better, faster, and less resource-intensive alternative Rspamd. The Spamfilter used on all recent installations is Rspamd; the Amavis option exists just for old legacy systems and is not used on Debian 12. So take care to switch Spamfilter back to Rspamd in ISPConfig.

You are the best! Thanks, Till.

Greetings.

It is possible to close user authentication through port 25.

I receive too many daily authentication attacks on port 25.

Use port 25 only for MTA.

If anyone can help me I would appreciate it.

Thank you

I followed every step, webmail is working but when trying to access phpmyadmin through https://ip:8081/phpmyadmin/ 

I'm getting : 

The requested URL was not found on this server.

Any idea what to do there ?

got the following error by rspam repository after fresh install.

- The repository 'http://rspamd.com/apt-stable lsb_release Release' does not have a Release file.

I did what in "https://github.com/rspamd/rspamd.com/issues/495" advaised to do and it seems to work.

Any problem not currently seeing doing so?

What I did (copy/past):

sudo apt-get install -y lsb-release wget # optional

CODENAME=`lsb_release -c -s`

sudo mkdir -p /etc/apt/keyrings

wget -O- https://rspamd.com/apt-stable/gpg.key | gpg --dearmor | sudo tee /etc/apt/keyrings/rspamd.gpg > /dev/null

echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/rspamd.gpg] http://rspamd.com/apt-stable/ $CODENAME main" | sudo tee /etc/apt/sources.list.d/rspamd.list

echo "deb-src [arch=amd64 signed-by=/etc/apt/keyrings/rspamd.gpg] http://rspamd.com/apt-stable/ $CODENAME main"  | sudo tee -a /etc/apt/sources.list.d/rspamd.list

sudo apt-get update

sudo apt-get --no-install-recommends install rspamd

Hi everyone!

I need your help. I followed all the instructions, no errors occurred, and the installation went smoothly. However, I still can't get SSL encryption to work! The site always returns this message on the https:// "ERR_SSL_PROTOCOL_ERROR".

Please post in the support forum to get help with your issue. here is the checklist to narrow down what the reason for LE refusing to issue a certificate is: https://forum.howtoforge.com/forums/general.25/

10 Install Let's Encrypt

easier,

/root/.acme.sh/acme.sh --set-default-ca --server letsencrypt

I couldnt get phpmyadmin to authenticate with mysql, it was always "Access denied for user 'root'@'localhost' (using password: YES)"

solution was to enter the password in /etc/mysql/debian.cnf WITHOUT QUOTES

then it went smoothly:

~# dpkg-reconfigure phpmyadminDetermining localhost credentials from /etc/mysql/debian.cnf: succeeded.Determining localhost credentials from /etc/mysql/debian.cnf: succeeded.dbconfig-common: writing config to /etc/dbconfig-common/phpmyadmin.confchecking privileges on database phpmyadmin for root@localhost: user creation needed.granting access to database phpmyadmin for root@localhost: success....

Hi

I have used these tutorials and resulting servers for many years and this time is the first time i get this error

when installing apache and all the other packages i get an error that the processor dont support hyperscan and i have to chose to install or not

i try not and it errors on  libhyperscan5 

will it still work if i choose yes and install the package ?

Hyperscan is not used by ISPConfig and not installed or used by this tutorial. Take care to start with a fresh and empty system. Also, better use the auto-installer, as mentioned at the beginning:

https://www.howtoforge.com/ispconfig-autoinstall-debian-ubuntu/

a2enmod proxy_fcgi setenvifa2enconf php8.2-fpmreturns command not found :-(

These commands are there when you follow the tutorial step-by-step. You might want to start ith a fresh system and use the auto-installer: https://www.howtoforge.com/ispconfig-autoinstall-debian-ubuntu/

I have imported ova in vmware. What is the default user to roundcube. I have tried user: [email protected] password: howtoforge but dosen't work

Roundcube is an email client; it has no default user. You log in to RoundCube with your email address and mailbox password.

Thunderbird stops recieving email every 90 days when Letsencrypt updates. Thunderbird says "Checking server capabilities" then does nothing more. The only solution is to delete the account from Thunderbird and put it in again.

I believe previous versions of The Perfect Debian Server (Buster and earlier) used sell signed certificates. Yes you have to accept the certificate but at least it stays working.

How do I switch email back to self signed whilst leaving everything else on Letsencrypt?

There is no need to delete an email account and re-add it. Instead. just restart dovecot and postfix. Seems as if your setup is broken in a way that postfix and dovecot do not get restarted automatically, maybe you are using a manually created LE certificate or the LE certificate of the website instead of the default LE cert ISPConfig created for the system.