2 essential add-ons for ISPConfig3

Discussion in 'Tips/Tricks/Mods' started by manarak, Jun 5, 2012.

  1. manarak

    manarak Member

    After the installation of an OS, for example Debian, following one of the excellent "perfect servers" how-tos and then installing ISPConfig3, there are a few more things I consider to be essential:

    - install Mod_Security.
    This can be skipped if you use only software that is guaranteed to be secure.
    Mod_security needs some work for fine-tuning, but if you run a hosting environment for clients or if you use opensource software, Mod_Security might save you more than just a couple bucks...

    - install the PEAR mail package
    Most if not almost all software packages involving mailing to users make use of the PHP mail()/sendmail function.
    The problem with this is that regardless of all your efforts using SPF and setting PTRs, your mail will be stopped by spamfilters of all major email providers because it was not sent using SMTP auth.
    PEAR provides a simple way for sending mail using SMTP auth, so you increase your website's reach.
  2. manarak

    manarak Member

  3. sjau

    sjau Local Meanie Moderator

    Test port 587 which is the mail submission port. That would be better than 465.
  4. manarak

    manarak Member

    my experience is that the email ports are configured in many different ways depending on the provider.

    For example, at google:

    587 is the Outgoing server (SMTP) port for IMAP. It uses a TLS
    encryption connection.

    465 is the Outgoing server (SMTP) port for pop. It uses an SSL
    encryption connection.
  5. manarak

    manarak Member

    another (potentially) essential config tweak:

    if you are running high-traffic sites, and especially if they sit on a cloud Vserver that usually have limited storage and limited I/O bandwidth, you want to disable the Apache Access log:


    just use google analytics or another stats provider for stats. they are better anyway - and won't clog your server with 30+ Gigs of logs, hello backup storage!
    Last edited: Jul 21, 2012
  6. sjau

    sjau Local Meanie Moderator

    smtp and imap are not related.

    smtp is to send email between servers.

    imap is a way to access stored email on a server by some client.

    And port 587 is still the email submission port ;)
  7. manarak

    manarak Member

    yeah, go tell all the mail service about that, they will continue to do what they want anyway ;-)

    I will add another essential tweak to this list:
    to avoid some funny issues with character encoding in MySQL, configure UTF-8 as default character set for MySQL.

    in my.cnf :

  8. manarak

    manarak Member

    Last edited: Aug 13, 2012
  9. manarak

    manarak Member

    more of a trick than an essential add-on:

    To be able to display (and switch between) sites that have been setup on the server to display as default when browsing to the server's IP or FQH is useful for example when developing a site when the DNS has not been set to point there, or to host stuff without using a domain name

    To achieve this, do:

    in /etc/apache2/sites-enabled
    rename 000-default (or similar) to something like _000-default
    then *copy* the file with the domain you want to appear as default into 000-default (same file name as was renamed above)
    restart apache.

    to switch to another default site, just copy another domain file to 000-default

    to switch back to default behavior, copy back _000-default to 000-default
    (and restart apache after every change)

    I wish this could be done easily through ISPConfig
    Last edited: Aug 14, 2012
  10. ressel

    ressel Member

    Another solution, that I like and find useful, is to edit the local hosts file, on my own machine.

  11. pititis

    pititis Member

    For me a essential add-on is cluebringer for postfix. It provides access control, spf check, greylist, helo/ehlo checks and quota support. It's written in perl and support mysql/sqlite/postgresql. All with a web interface, just awesome!
  12. manarak

    manarak Member

    Just an addendum - I just discovered the logs are written twice!

    under /etc/apache2/conf.d is the file other-vhost-access-log that writes a "vhosts combined" log. don't forget to deactivate that one as well.
  13. manarak

    manarak Member

    another observation:
    if you install a vserver: these usually don't allow access to IPTABLES, since they are built into the kernel that is common to all vservers on the host.
    So your fail2ban is going to be ineffective in the default config.

    solution: use hosts.deny instead.

    to do this:
    in jail.conf
    banaction = iptables-multiport
    banaction = hostsdeny
    save and restart fail2ban
  14. manarak

    manarak Member

    I realized later that hosts.deny is not a good solution. see here why:

Share This Page