The Perfect Server - Debian Squeeze (Debian 6.0) With BIND & Courier [ISPConfig 3] - Page 4

10 Install Postfix, Courier, Saslauthd, MySQL, phpMyAdmin, rkhunter, binutils
11 Install Amavisd-new, SpamAssassin, And Clamav
12 Install Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, And mcrypt
13 Install PureFTPd And Quota
14 Install BIND DNS Server
15 Install Vlogger, Webalizer, And AWstats
16 Install Jailkit

10 Install Postfix, Courier, Saslauthd, MySQL, phpMyAdmin, rkhunter, binutils

We can install Postfix, Courier, Saslauthd, MySQL, phpMyAdmin, rkhunter, and binutils with a single command:

apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server courier-authdaemon courier-authlib-mysql courier-pop courier-pop-ssl courier-imap courier-imap-ssl libsasl2-2 libsasl2-modules libsasl2-modules-sql sasl2-bin libpam-mysql openssl courier-maildrop getmail4 rkhunter binutils sudo gamin

You will be asked the following questions:

General type of mail configuration: <-- Internet Site
System mail name: <-- server1.example.com
New password for the MySQL "root" user: <-- yourrootsqlpassword
Repeat password for the MySQL "root" user: <-- yourrootsqlpassword
Create directories for web-based administration? <-- No
SSL certificate required <-- Ok

We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:

vi /etc/mysql/my.cnf

[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           = 127.0.0.1
[...]

Then we restart MySQL:

/etc/init.d/mysql restart

Now check that networking is enabled. Run

netstat -tap | grep mysql

The output should look like this:

[email protected]:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 10457/mysqld
[email protected]:~#

During the installation, the SSL certificates for IMAP-SSL and POP3-SSL are created with the hostname localhost. To change this to the correct hostname (server1.example.com in this tutorial), delete the certificates...

cd /etc/courier
rm -f /etc/courier/imapd.pem
rm -f /etc/courier/pop3d.pem

... and modify the following two files; replace CN=localhost with CN=server1.example.com (you can also modify the other values, if necessary):

vi /etc/courier/imapd.cnf

[...]
CN=server1.example.com
[...]

vi /etc/courier/pop3d.cnf

[...]
CN=server1.example.com
[...]

Then recreate the certificates...

mkimapdcert
mkpop3dcert

... and restart Courier-IMAP-SSL and Courier-POP3-SSL:

/etc/init.d/courier-imap-ssl restart
/etc/init.d/courier-pop-ssl restart

11 Install Amavisd-new, SpamAssassin, And Clamav

To install amavisd-new, SpamAssassin, and ClamAV, we run

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl

The ISPConfig 3 setup uses amavisd which loads the SpamAssassin filter library internally, so we can stop SpamAssassin to free up some RAM:

/etc/init.d/spamassassin stop
update-rc.d -f spamassassin remove

12 Install Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, And mcrypt

Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, and mcrypt can be installed as follows:

apt-get install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-ruby

You will see the following questions:

Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No

Then run the following command to enable the Apache modules suexec, rewrite, ssl, actions, and include (plus dav, dav_fs, and auth_digest if you want to use WebDAV):

a2enmod suexec rewrite ssl actions include
a2enmod dav_fs dav auth_digest

Restart Apache afterwards:

/etc/init.d/apache2 restart

13 Install PureFTPd And Quota

PureFTPd and quota can be installed with the following command:

apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool

Edit the file /etc/default/pure-ftpd-common...

vi /etc/default/pure-ftpd-common

... and make sure the start mode is set to standalone and set VIRTUALCHROOT=true:

[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]

Edit the file /etc/inetd.conf to prevent inetd from trying to start ftp:

vi /etc/inetd.conf

If there is a line beginning withftp stream tcp, comment it out (if there's no such file, then that is fine, and you don't have to modify /etc/inetd.conf):

[...]
#:STANDARD: These are standard services.
#ftp    stream  tcp     nowait  root    /usr/sbin/tcpd /usr/sbin/pure-ftpd-wrapper
[...]

If you had to modify /etc/inetd.conf, restart inetd now:

/etc/init.d/openbsd-inetd restart

Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure.

If you want to allow FTP and TLS sessions, run

echo 1 > /etc/pure-ftpd/conf/TLS

In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:

mkdir -p /etc/ssl/private/

Afterwards, we can generate the SSL certificate as follows:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]: <-- Enter your State or Province Name.
Locality Name (eg, city) []: <-- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []: <-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
Email Address []: <-- Enter your Email Address.

Change the permissions of the SSL certificate:

chmod 600 /etc/ssl/private/pure-ftpd.pem

Then restart PureFTPd:

/etc/init.d/pure-ftpd-mysql restart

Edit /etc/fstab. Mine looks like this (I added ,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 to the partition with the mount point /):

vi /etc/fstab

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0
# / was on /dev/sda1 during installation
UUID=92bceda2-5ae4-4e3a-8748-b14da48fb297 /               ext3    errors=remount-ro,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 0       1
# swap was on /dev/sda5 during installation
UUID=e24b3e9e-095c-4b49-af27-6363a4b7d094 none            swap    sw              0       0
/dev/scd0       /media/cdrom0   udf,iso9660 user,noauto     0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto  0       0

To enable quota, run these commands:

mount -o remount /

quotacheck -avugm
quotaon -avug

14 Install BIND DNS Server

BIND can be installed as follows:

apt-get install bind9 dnsutils

15 Install Vlogger, Webalizer, And AWstats

Vlogger, webalizer, and AWstats can be installed as follows:

apt-get install vlogger webalizer awstats geoip-database

Open /etc/cron.d/awstats afterwards...

vi /etc/cron.d/awstats

... and comment out both cron jobs in that file:

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh
# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh

16 Install Jailkit

Jailkit is needed only if you want to chroot SSH users. It can be installed as follows (important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!):

apt-get install build-essential autoconf automake1.9 libtool flex bison debhelper

cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.13.tar.gz
tar xvfz jailkit-2.13.tar.gz
cd jailkit-2.13
./debian/rules binary
cd ..
dpkg -i jailkit_2.13-1_*.deb
rm -rf jailkit-2.13*

view as pdf | print

Share this page:

Sub pages

15 Comment(s)

Add comment

Comments

By: Idrassi

The following two commands must be run before quotacheck and quotaon :

touch /aquota.user /aquota.group
chmod 600 /aquota.*

By: JeffryL

Not necessary anymore. Files are made automatically with the right permissions.

By: Pilgrim

Hi...

Great tutorial,
but I have a small problem with postfix.
I'm using domain with NSSet to my server. Domain is a for example somestupiddomain.cz.
This domain is a NS domain for nameservers too like ns1.somestupiddomain.cz and ns2.somestupiddomain.cz.

Problem is a with Postfix main.cnf file with mydestination param.
The default settings is a:

mydestination = somestupiddomain.cz, localhost, localhost.localdomain

If I sent email to any mailbox on this domain, the email was not delivered and I delivered back to sender error: Undelivered Mail Returned to Sender - unknown user "test".

Anyother domains on this server are OK and theirs emails were successfully delivered.

I was change this mydestination param for fixing this problem to:

mydestination = assigned-XXX.XXX.XXX.XXX.provider.cz, localhost, localhost.localdomain

After this, all emails to somestupiddomain.cz were succesfully delivered.
The param mydestination must be a FQDN hostname of server.

(sorry for my english) ;-)

By: Cody

E: Unable to locate package libsas12-2
E: Unable to locate package libsas12-modules
E: Unable to locate package libsas12-modules-sql
E: Unable to locate package sas12-bin

and i can't continue from there because i need SQL to be installed

i'm a newby, how do i check if its been installed and if its running?

(up until here i followed your tutorial exactly [excluding hostname / domainname / username / repositories] and its worked!)

By: Anonymous

It's not libsas1 but libsasl with the L not the 1

By:

For the new version of the JailKit, change the following. This fixes the following:

Jailkit 2.14 fixes a infinite loop in jk_cp and jk_init if ldd output for some reason contains two slashes (//lib/libfoo.so). Furthermore, jk_chrootsh can now be called as 'su'

cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.14.tar.gz
tar xvfz jailkit-2.14.tar.gz
cd jailkit-2.14
./debian/rules binary
cd ..
dpkg -i jailkit_2.14-1_*.deb
rm -rf jailkit-2.14*

By: Steboo

Don´t forget to install the libfam0 or libgamin0 if you want to use the IMAP-Server.

By: lenz

To prevent filesystem error like this:

"IMAP server information: Filesystem notification initialization error -- contact your mail administrator (check for configuration errors with the FAM/Gamin library)"

install gamin:

apt-get install gamin

(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=599682 )

By: Ed

Hello,

I can't get past step 10 - I receive an "Abort." on the terminal screen when I enter "Y" to continue with the installation of the packages.

This is a amd 64 bit system that came pre-configured with debian squeeze 64 bit for amd64, but with nothing else, I think.

Why would I receive that Abort by the system when trying to install the packages in step 10?

Thanks for any help - I am new with 64 bit debian and squeze.

By: Ed

Hello,

I solved this problem by using aptitude instead of apt-get

IBM machine with Opteron 2218 squeeze amd64

By:

Are you getting pthread errors? For example, it might complain that pthread is not found:

jk_socketd.c:(.text+0xa94): undefined reference to `pthread_create'

If so, try this solution:

LIBS=-pthread ./debian/rules binary

By: Anonymous

When I try the following command (from the guide) I get an error:

./debian/rules binary

Error:

checking whether we are cross compiling... configure: error: in `/tmp/jailkit-2.13': configure: error: cannot run C compiled programs. If you meant to cross compile, use `--host'. See `config.log' for more details. make: *** [config.status] Error 1

I have checked so "gcc is already the newest version." and libpq5 is installed.
Why cant my debian make this compilation?

By: bjarne

By default the SSL certificates for IMAP and POP3 has a lifetime of 1 year. It is possible to change this by editing mkimapdcert and mkpop3dcert scripts directly:

vi /usr/sbin/mkimapdcert
vi /usr/sbin/mkpop3dcert

#look for line /usr/bin/openssl req -new -x509 -days 365 -nodes \

Remove the old certficates and run mkimapdcert and mkpop3dcert again

By: pallermo

Hmm...I am getting this kind of message (error) when I try "quotacheck -avugm"

quotacheck: Cannot find filesystem to check or filesystem not mounted with quota option.

Eveything is ql but only this is the problem.

fstab is next:

proc /proc proc defaults 0 0

none /dev/pts devpts gid=5,mode=620 0 0

/dev/md0 none swap sw 0 0

/dev/md1 /boot ext3 defaults 0 0

/dev/md2 / ext4 defaults 0 0 errors=remount-ro,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 0 1

By: Rifqi Kennedy

i can't install vim-nox, because this packets there isn't, how about that ??

Log in or Sign up