The Perfect Server - Ubuntu 15.04 (Vivid Vervet) with Apache, PHP, MySQL, PureFTPD, BIND, Postfix, Dovecot and ISPConfig 3

This tutorial shows the installation of an Ubuntu 15.04 (Vivid Vervet) web hosting server server with Apache2, Postfix, Dovecot, Bind and PureFTPD to prepare it for the installation of ISPConfig 3. The resulting system will provide a Web, Mail, Mailinglist, DNS and FTP Server.

ISPConfig 3 is a webhosting control panel that allows you to configure the following services through a web browser: Apache or nginx web server, Postfix mail server, Courier or Dovecot IMAP/POP3 server, MySQL, BIND or MyDNS nameserver, PureFTPd, SpamAssassin, ClamAV, and many more. This setup covers the installation of Apache (instead of nginx), BIND (instead of MyDNS), and Dovecot (instead of Courier).

1. Preliminary Note

In this tutorial I use the hostname server1.example.com with the IP address 192.168.1.100 and the gateway 192.168.1.1 . These settings might differ for you, so you have to replace them where appropriate.  Before proceeding further you need to have a basic minimal installation of Ubuntu 15.04 as explained in tutorial.

2. Edit /etc/apt/sources.list And Update Your Linux Installation

Edit /etc/apt/sources.list. Comment out or remove the installation CD from the file and make sure that the universe and multiverse repositories are enabled. It should look like this afterwards:

nano /etc/apt/sources.list

#

# deb cdrom:[Ubuntu-Server 15.04 _Vivid Vervet_ - Release amd64 (20150422)]/ vivid main restricted

#deb cdrom:[Ubuntu-Server 15.04 _Vivid Vervet_ - Release amd64 (20150422)]/ vivid main restricted

# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://de.archive.ubuntu.com/ubuntu/ vivid main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ vivid main restricted

## Major bug fix updates produced after the final release of the
## distribution.
deb http://de.archive.ubuntu.com/ubuntu/ vivid-updates main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ vivid-updates main restricted

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
deb http://de.archive.ubuntu.com/ubuntu/ vivid universe
deb-src http://de.archive.ubuntu.com/ubuntu/ vivid universe
deb http://de.archive.ubuntu.com/ubuntu/ vivid-updates universe
deb-src http://de.archive.ubuntu.com/ubuntu/ vivid-updates universe

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://de.archive.ubuntu.com/ubuntu/ vivid multiverse
deb-src http://de.archive.ubuntu.com/ubuntu/ vivid multiverse
deb http://de.archive.ubuntu.com/ubuntu/ vivid-updates multiverse
deb-src http://de.archive.ubuntu.com/ubuntu/ vivid-updates multiverse

## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb http://de.archive.ubuntu.com/ubuntu/ vivid-backports main restricted universe multiverse
deb-src http://de.archive.ubuntu.com/ubuntu/ vivid-backports main restricted universe multiverse

deb http://security.ubuntu.com/ubuntu vivid-security main restricted
deb-src http://security.ubuntu.com/ubuntu vivid-security main restricted
deb http://security.ubuntu.com/ubuntu vivid-security universe
deb-src http://security.ubuntu.com/ubuntu vivid-security universe
deb http://security.ubuntu.com/ubuntu vivid-security multiverse
deb-src http://security.ubuntu.com/ubuntu vivid-security multiverse

## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
# deb http://archive.canonical.com/ubuntu vivid partner
# deb-src http://archive.canonical.com/ubuntu vivid partner

Then run

apt-get update

to update the apt package database and

apt-get upgrade

to install the latest updates (if there are any). If you see that a new kernel gets installed as part of the updates, you should reboot the system afterwards:

reboot

 

3. Change The Default Shell

/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore we do this:

dpkg-reconfigure dash

Use dash as the default system shell (/bin/sh)? <-- No

If you don't do this, the ISPConfig installation will fail.

 

4. Disable AppArmor

AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).

We can disable it like this:

service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils

 

5. Synchronize the System Clock

It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the Internet when you run a physical server. In case you run a virtual server then you should skip this step. Just run

apt-get install ntp ntpdate

and your system time will always be in sync.

 

6. Install Postfix, Dovecot, MariaDB, phpMyAdmin, rkhunter, binutils

For installing postfix we need to ensure that sendmail is not installed and running. To stop and remove sendmail run this command:

service sendmail stop; update-rc.d -f sendmail remove

The error message:

Failed to stop sendmail.service: Unit sendmail.service not loaded.

Is ok, it just means that sendmail was not installed, so there was nothing to be removed.

Now we can install Postfix, Dovecot, MariaDB (as MySQL replacement), rkhunter, and binutils with a single command:

apt-get install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo

You will be asked the following questions:

Create a self-signed SSL certificate? <-- yes
Host name: <-- server1.example.com
General type of mail configuration: <-- Internet Site
System mail name: <-- server1.example.com

Next open the TLS/SSL and submission ports in Postfix:

nano /etc/postfix/master.cf

Uncomment the submission and smtps sections as follows - add the line -o smtpd_client_restrictions=permit_sasl_authenticated,reject to both sections and leave everything thereafter commented:

[...]
submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
[...]

Restart Postfix afterwards:

service postfix restart

We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:

nano /etc/mysql/mariadb.conf.d/mysqld.cnf

[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           = 127.0.0.1
[...]

Now we set a root password in MariaDB. Run:

mysql_secure_installation

You will be asked these questions:

Enter current password for root (enter for none): <-- press enter
Set root password? [Y/n] <-- y
New password: <-- Enter the new MariaDB root password here
Re-enter new password: <-- Repeat the password
Remove anonymous users? [Y/n] <-- y
Disallow root login remotely? [Y/n] <-- y
Reload privilege tables now? [Y/n] <-- y

Then we restart MariaDB:

service mysql restart

Now check that networking is enabled. Run

netstat -tap | grep mysql

The output should look like this:

root@server1:~# netstat -tap | grep mysql
tcp        0      0 *:mysql                 *:*                     LISTEN      24603/mysqld    
root@server1:~# 

7. Install Amavisd-new, SpamAssassin, And Clamav

To install amavisd-new, SpamAssassin, and ClamAV, we run

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl

The ISPConfig 3 setup uses amavisd which loads the SpamAssassin filter library internally, so we can stop SpamAssassin to free up some RAM:

service spamassassin stop
update-rc.d -f spamassassin remove

Edit the clamd configuration file:

nano /etc/clamav/clamd.conf

and change the line:

AllowSupplementaryGroups false

to:

AllowSupplementaryGroups true 

And save the file. To start clamav use

freshclam
service clamav-daemon start

 

Share this page:

29 Comment(s)

Add comment

Comments

From: Major7 at: 2015-05-08 10:18:05

you wrote several times "MariaDB" but you mean "MySQL"

From: till at: 2015-05-08 10:54:46

This tutorial installs MariaDB and not MySQL. The systemd unit of the MariaDB Software is named mysql for compatibility reasons but its still MariaDB that gest restarted and not MySQL.

From: Major7 at: 2015-05-08 10:23:28

The Link to additional PHP-Versions is wrong (has the "file" protocol) - as in the previous Tutorials

From: till at: 2015-05-08 10:58:34

Thanks, I fixed that.

From: JohnP at: 2015-05-11 21:13:02

MariaDB should be preferred over mysql these days. The title is wrong even if the steps are for mariadb.

No FTP should even be discussed. FTP should have died out (or been killed off) in 1995.  sFTP, which is built-into openssh-server, should be used.  Since 2000, nobody should run plain FTP. That isn't just my opinion - it is the opinion of security experts worldwide.

From: till at: 2015-05-12 06:56:38

You are partially right about the title, the problem is that not everyone knows that mariadb is a full mysql replacement and poeple are still seeking for a guide with MySQL and not MariaDB due to that fact. This tutorials installs FTP with TLS (FTPS), so the connection is secured. FTPS has some advantages on hosting servers (shared hosting envirments) over sFTP as the FTP dameon supports virtual users while you need a real system user (SSH user) for sFTP.

From: Sgt. Rock at: 2015-05-13 16:34:15

Adding a comment that ClamAV updates may take some time may be helpful for new users... It can take upwards of 5min just for the "daily.cvd" file to download.

From: jon at: 2015-05-14 09:28:28

How to activate Roundcube plugins (auto responder, password change)?

From: Major7 at: 2015-05-14 12:13:59

Are you sure the linked Tutorial (Ubuntu 12.10) for installing Multiple PHP-Versions works on Ubuntu 15? Tested it (with PHP 5.3.29) with no luck.

With --with-imap it breaks:

[...]checking whether build with IMAP works... noconfigure: error: build test failed. Please check the config.log for details.[...]

Without --with-imap

[...]/lib/x86_64-linux-gnu/libssl.so.1.0.0: error adding symbols: DSO missing from command linecollect2: error: ld returned 1 exit statusMakefile:274: recipe for target 'sapi/fpm/php-fpm' failedmake: *** [sapi/fpm/php-fpm] Error 1[...]

From: Alex Hulshof at: 2015-05-15 12:48:14

netstat -tap | grep mysql gives:

tcp6     0    0    [::]:mysql   [::]:*     LISTEN     11629/mysqld

is this correct since the manual shows:

tcp        0      0 *:mysql                 *:*                     LISTEN      24603/mysqld

 

From: till at: 2015-05-15 13:00:32

Yes, thats corrcet. Your server uses ipv4 and ipv6 while the one in the tutorial has ipv4 only.

From: Vincent Simpson at: 2015-05-20 13:36:26

hi,

when adding aliases and running newaliases (Step 9 Install Mailman) I get the following message :

newaliases: fatal: open /etc/postfix/main.cf: No such file or directory

And indeed there is master.cf but no main.cf

Also, doing a service postfix restart (or /etc/init.d/postfix restart), I get no messages (saying ok or otherwise...) is this normal ?

Postfix is installed since I do have /etc/postfix/files_present_in_here 

Is this normal ?

Where am I going wrong ?

Is Mailman essential ?

Thank-you

enzo2424@gmail[dot]com

From: vincent Simpson at: 2015-05-20 14:04:47

Following up on the postfix problem. 

I never got the prompt for "internet site'" upon postfix installation. Maybe a bug in the package ? 

Anyhow, I did a "dpkg-reconfigure postfix"

and followed the install instructions on page1 & everything went correctly from there.

hope this helps out someone else who encounters this problem.

Best regards

From: ninjanero at: 2015-05-21 16:15:20

I've problems with dns server, I need help! I create a site from ispconfig but its not reachable.

From: till at: 2015-05-21 16:27:30

The ispconfig community support is available in our forum: https://www.howtoforge.com/community/

From: radim_h at: 2015-06-01 08:16:15

Hello,

after installation according this tutorial, there is problem with quotas, when system starting there is message"Failed to start Check and Enable File System Quotas. See 'systemctl status quota.service' for details." as on picture http://mixx.org/ispc3/quota-problem.jpg

When you do it , you get message: quota.service - Check And Enable File System Quotas   Loaded: loaded (/lib/systemd/system/quota.service; enabled)   Active: failed (Result: exit-code) since Mon 2015-06-01 10:01:30 CEST; 8min ago     Docs: man:quotaon(8)  Process: 216 ExecStart=/usr/share/quota/quotaon.sh (code=exited, status=1/FAILURE) Main PID: 216 (code=exited, status=1/FAILURE)Jun 01 10:01:30 109-123-216-005 quotaon.sh[216]: Checking quotas...Jun 01 10:01:30 109-123-216-005 systemd[1]: quota.service: main process exited, code=exited, status=1/FAILUREJun 01 10:01:30 109-123-216-005 systemd[1]: Failed to start Check And Enable File System Quotas.Jun 01 10:01:30 109-123-216-005 systemd[1]: Unit quota.service entered failed state.

repquota -a seems like quotas are working, but when you turn qoutas off "quotaoff -a" repquota -a answer is same, so this probably means nothing

repquota -a*** Report for user quotas on device /dev/vda3Block grace time: 7days; Inode grace time: 7days                        Block limits                File limitsUser            used    soft    hard  grace    used  soft  hard  grace----------------------------------------------------------------------root      -- 1886260       0       0          70925     0     0daemon    --      68       0       0              4     0     0man       --    1884       0       0            147     0     0www-data  --      44       0       0             32     0     0list      --      80       0       0             26     0     0statd     --      12       0       0              3     0     0client    --      32       0       0              6     0     0postfix   --     100       0       0             55     0     0ntp       --      12       0       0              3     0     0mysql     --  117524       0       0            679     0     0clamav    --  151520       0       0             12     0     0debian-spamd --    1592       0       0             25     0     0amavis    --     280       0       0             14     0     0bind      --       8       0       0              2     0     0vmail     --      20       0       0              5     0     0getmail   --      12       0       0              3     0     0ispapps   --      12       0       0              3     0     0ispconfig --   27328       0       0           5604     0     0web1      --      84 2097152 2098176             20     0     0

 

 

From: John at: 2015-08-18 05:28:24

I seem to be having pretty much the exact same issue.

From: enzo24 at: 2015-06-05 12:58:50

If your running an ubuntu server 15 setup following this tuto, than you'll probably have the same problem I did

I couldn't get anything over 100k to upload :(

Although I got settings right /etc/php5/cgi/php.ini and my joomla site was saying max upload 2000M (yeah i did overkill) I still couldn't get anything to go over 100k

So, I followed th instuctions that I found in a post and edited the /etc/apache2/mods-enabled/fcgid.conf to make it look like this :

<IfModule mod_fcgid.c> FcgidConnectTimeout 200 FcgidMaxRequestLen 1073741824 ....

Then, as root you do :

services apache2 restart service php5-fpm restart

to get all those configs swallowed up and miracles occur... Apparently, fcgi limits to 100k upload if not stated otherwise... and this seems to impact only on ubuntu 15, because I don't think I have this problem on my ubuntu server 14.10...

Hope this helps out folks... i searched 3 days to find the soluce...

Regards

From: Tha Juggalo Steve at: 2015-06-27 01:43:20

can somone show me how to enable root login with gui i cant drop my files into the www folder to install my website

From: Mick Walker at: 2015-06-30 09:49:16

Well done.  Another great set of instructions.

Just one remaining problem (after failing to login to phpmyadmin - fixed it).

An existing website that worked fine under 12.04 now fails in 15.04.  I suspect it is an apache config problem.

Bare php works fine.  Embedded php fails to load.  The html code ends at the last character before the %lt;?php opening tag.

Any thoughts?

From: Sajeev at: 2015-07-17 13:19:27

Hi, When i try to install amavisd-new i get the following error:

Creating/updating amavis user account...

Job for amavis.service failed. See "systemctl status amavis.service" and "journalctl -xe" for details.

invoke-rc.d: initscript amavis, action "start" failed.

WARNING: Starting amavisd-new failed. Please check your configuration.

systemctl status amavis.service outputs the following:

? amavis.service - LSB: Starts amavisd-new mailfilter

   Loaded: loaded (/etc/init.d/amavis)

   Active: failed (Result: exit-code) since Fri 2015-07-17 17:06:35 GST; 13s ago

     Docs: man:systemd-sysv-generator(8)

  Process: 10448 ExecStart=/etc/init.d/amavis start (code=exited, status=1/FAILURE)

 

Jul 17 17:06:35 ramadahserver amavis[10448]: Starting amavisd:   The value of variable $myhostname is "ramadahserver", but should have been

Jul 17 17:06:35 ramadahserver amavis[10448]: a fully qualified domain name; perhaps uname(3) did not provide such.

Jul 17 17:06:35 ramadahserver amavis[10448]: You must explicitly assign a FQDN of this host to variable $myhostname

Jul 17 17:06:35 ramadahserver amavis[10448]: in /etc/amavis/conf.d/05-node_id, or fix what uname(3) provides as a host's

Jul 17 17:06:35 ramadahserver amavis[10448]: network name!

Jul 17 17:06:35 ramadahserver amavis[10448]: (failed).

Jul 17 17:06:35 ramadahserver systemd[1]: amavis.service: control process exited, code=exited status=1

Jul 17 17:06:35 ramadahserver systemd[1]: Failed to start LSB: Starts amavisd-new mailfilter.

Jul 17 17:06:35 ramadahserver systemd[1]: Unit amavis.service entered failed state.

Jul 17 17:06:35 ramadahserver systemd[1]: amavis.service failed.

Please advice on how to solve this error.

From: pjrfigueiredo at: 2015-07-20 11:39:35

btw, we need to install python...

From: Luke Pring at: 2015-07-31 23:36:21

I can access the ISPConfig from https://192.168.1.3:8080/index.php#, https://server.luke.com:8080 doesn't do anything. firefox isn't even giving me an error page.

 

Also how do I access the ftp and /var/www/ domain from the network and machines that are not on my network?

 

Thanks, Luke.

From: David at: 2015-08-01 19:27:51

Thank you! I just followed the entire tutorial, it worked 100%! You are awesome!

From: Zack at: 2015-08-02 19:29:07

Something isn't quite right, I''ve wiped my vps twice and followed these instructions exactly. The "MariaDB" messes up my sql so bad that I cannot make anything work with postfix.

"Unable to connect to the specified MySQL server Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock'"

What is going on here?

From: till at: 2015-08-03 07:31:49

I installed a server by doing a copy & paste of the commands from this tutorial this morning and it worked out of the box. Maybe your vps does not has enough RAM. The VPS shall have at least 1GB RAM for this setup.

From: aldo at: 2015-08-13 15:35:57

Please consider to add the following lines (taken from the similar NGIX instructions) just after setting the mysql root password:

[...]

Reload privilege tables now? [Y/n] <-- y

Then run this command to disable the auth plugin:

echo "update user set plugin='' where User='root';flush privileges;" | mysql --defaults-file=/etc/mysql/debian.cnf mysql

To allow password based authentication from PHPMyAdmin.

Then we restart MariaDB:

[...]

From: Raphael at: 2015-08-31 00:09:40

Hi i didnt get.

root@server1:/etc/mysql/mariadb.conf.d# quotaon -avug/dev/mapper/server1--vg-root [/]: group quotas turned on/dev/mapper/server1--vg-root [/]: user quotas turned on

what did I miss please.

From: Mrbloomfield at: 2015-09-03 01:36:06

 I struggled getting mail to work for a while, If anyone is having trouble remove the "#" from in /etc/postfix/master.cf

#smtps inet n - - - - smtpd #submission inet n - - - - smtpd