The Perfect Server - Debian Squeeze (Debian 6.0) With BIND & Courier [ISPConfig 3] - Page 4

10 Install Postfix, Courier, Saslauthd, MySQL, phpMyAdmin, rkhunter, binutils

We can install Postfix, Courier, Saslauthd, MySQL, phpMyAdmin, rkhunter, and binutils with a single command:

apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server courier-authdaemon courier-authlib-mysql courier-pop courier-pop-ssl courier-imap courier-imap-ssl libsasl2-2 libsasl2-modules libsasl2-modules-sql sasl2-bin libpam-mysql openssl courier-maildrop getmail4 rkhunter binutils sudo gamin

You will be asked the following questions:

General type of mail configuration: <-- Internet Site
System mail name: <--
New password for the MySQL "root" user: <-- yourrootsqlpassword
Repeat password for the MySQL "root" user: <-- yourrootsqlpassword
Create directories for web-based administration? <-- No
SSL certificate required <-- Ok

We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address =

vi /etc/mysql/my.cnf

# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           =

Then we restart MySQL:

/etc/init.d/mysql restart

Now check that networking is enabled. Run

netstat -tap | grep mysql

The output should look like this:

root@server1:~# netstat -tap | grep mysql
tcp        0      0 *:mysql                 *:*                     LISTEN      10457/mysqld

During the installation, the SSL certificates for IMAP-SSL and POP3-SSL are created with the hostname localhost. To change this to the correct hostname ( in this tutorial), delete the certificates...

cd /etc/courier
rm -f /etc/courier/imapd.pem
rm -f /etc/courier/pop3d.pem

... and modify the following two files; replace CN=localhost with (you can also modify the other values, if necessary):

vi /etc/courier/imapd.cnf


vi /etc/courier/pop3d.cnf


Then recreate the certificates...


... and restart Courier-IMAP-SSL and Courier-POP3-SSL:

/etc/init.d/courier-imap-ssl restart
/etc/init.d/courier-pop-ssl restart


11 Install Amavisd-new, SpamAssassin, And Clamav

To install amavisd-new, SpamAssassin, and ClamAV, we run

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl

The ISPConfig 3 setup uses amavisd which loads the SpamAssassin filter library internally, so we can stop SpamAssassin to free up some RAM:

/etc/init.d/spamassassin stop
update-rc.d -f spamassassin remove


12 Install Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, And mcrypt

Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, and mcrypt can be installed as follows:

apt-get install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-ruby

You will see the following questions:

Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No

Then run the following command to enable the Apache modules suexec, rewrite, ssl, actions, and include (plus dav, dav_fs, and auth_digest if you want to use WebDAV):

a2enmod suexec rewrite ssl actions include
a2enmod dav_fs dav auth_digest

Restart Apache afterwards:

/etc/init.d/apache2 restart


13 Install PureFTPd And Quota

PureFTPd and quota can be installed with the following command:

apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool

Edit the file /etc/default/pure-ftpd-common...

vi /etc/default/pure-ftpd-common

... and make sure the start mode is set to standalone and set VIRTUALCHROOT=true:


Edit the file /etc/inetd.conf to prevent inetd from trying to start ftp:

vi /etc/inetd.conf

If there is a line beginning withftp stream tcp, comment it out (if there's no such file, then that is fine, and you don't have to modify /etc/inetd.conf):

#:STANDARD: These are standard services.
#ftp    stream  tcp     nowait  root    /usr/sbin/tcpd /usr/sbin/pure-ftpd-wrapper

If you had to modify /etc/inetd.conf, restart inetd now:

/etc/init.d/openbsd-inetd restart

Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure.

If you want to allow FTP and TLS sessions, run

echo 1 > /etc/pure-ftpd/conf/TLS

In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:

mkdir -p /etc/ssl/private/

Afterwards, we can generate the SSL certificate as follows:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]:
<-- Enter your State or Province Name.
Locality Name (eg, city) []:
<-- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
<-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []:
<-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []:
<-- Enter the Fully Qualified Domain Name of the system (e.g. "").
Email Address []:
<-- Enter your Email Address.

Change the permissions of the SSL certificate:

chmod 600 /etc/ssl/private/pure-ftpd.pem

Then restart PureFTPd:

/etc/init.d/pure-ftpd-mysql restart

Edit /etc/fstab. Mine looks like this (I added ,usrjquota=aquota.user,,jqfmt=vfsv0 to the partition with the mount point /):

vi /etc/fstab

# /etc/fstab: static file system information.
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0
# / was on /dev/sda1 during installation
UUID=92bceda2-5ae4-4e3a-8748-b14da48fb297 /               ext3    errors=remount-ro,usrjquota=aquota.user,,jqfmt=vfsv0 0       1
# swap was on /dev/sda5 during installation
UUID=e24b3e9e-095c-4b49-af27-6363a4b7d094 none            swap    sw              0       0
/dev/scd0       /media/cdrom0   udf,iso9660 user,noauto     0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto  0       0

To enable quota, run these commands:

mount -o remount /

quotacheck -avugm
quotaon -avug


14 Install BIND DNS Server

BIND can be installed as follows:

apt-get install bind9 dnsutils


15 Install Vlogger, Webalizer, And AWstats

Vlogger, webalizer, and AWstats can be installed as follows:

apt-get install vlogger webalizer awstats geoip-database

Open /etc/cron.d/awstats afterwards...

vi /etc/cron.d/awstats

... and comment out both cron jobs in that file:

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/ ] && /usr/share/awstats/tools/
# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/ ] && /usr/share/awstats/tools/


16 Install Jailkit

Jailkit is needed only if you want to chroot SSH users. It can be installed as follows (important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!):

apt-get install build-essential autoconf automake1.9 libtool flex bison debhelper

cd /tmp
tar xvfz jailkit-2.13.tar.gz
cd jailkit-2.13
./debian/rules binary
cd ..
dpkg -i jailkit_2.13-1_*.deb
rm -rf jailkit-2.13*

Share this page:

34 Comment(s)

Add comment


From: at: 2011-02-13 16:59:43

With this configuration I am unable to fetchmail in ISPConfig due to not being able to resolve the the domain name of the external mailbox. If i turn off the firewall, dns works fine. If I open all ports > 1000 it works fine. I believe this has something to do with the return port of the dns query to my name server? Maybe iptables?

From: JeffryL at: 2011-03-26 17:21:25

Great tutorial but even better if it would also describe how to force ISP over a secure connection (https) which is not very hard to configure. E.g. this site describes one way, although enabling ssh is not necessary anymore after fulfilling this tutorial and ISP3 has some standard configuration lines that can be uncommented... (And why isn't ssl standard in ISP3?!?!)

Second, and perhaps a bit more difficult is securing phpmyadmin. I think phpmyadmin as a 'folder' in a website is not very secure since you cannot easily force it to connect over ssl (or can you? Lemme know!) On my server I would prefer phpmyadmin only accessible over ssl.

From: Anonymous at: 2011-06-09 09:42:49

Isn't FAM necessary for Courier IMAP? Most mailclients seem to complain when it is not installed..

From: at: 2012-03-21 17:30:33

remember to apt-get update and apt-get upgrade before start 

apt-get install ssh openssh-server

packages change names ... like happen to me a few minutes a go ...  

From: Idrassi at: 2011-02-11 17:05:18

The following two commands must be run before quotacheck and quotaon :

touch /aquota.user /
chmod 600 /aquota.*

From: JeffryL at: 2011-03-26 17:06:41

Not necessary anymore. Files are made automatically with the right permissions.

From: Pilgrim at: 2011-02-21 11:33:58


Great tutorial,
but I have a small problem with postfix.
I'm using domain with NSSet to my server. Domain is a for example
This domain is a NS domain for nameservers too like and

Problem is a with Postfix main.cnf file with mydestination param.
The default settings is a:

mydestination =, localhost, localhost.localdomain

If I sent email to any mailbox on this domain, the email was not delivered and I delivered back to sender error: Undelivered Mail Returned to Sender - unknown user "test".

Anyother domains on this server are OK and theirs emails were successfully delivered.

I was change this mydestination param for fixing this problem to:

mydestination =, localhost, localhost.localdomain

After this, all emails to were succesfully delivered.
The param mydestination must be a FQDN hostname of server.

 (sorry for my english) ;-)

From: Cody at: 2011-05-05 19:17:22

E: Unable to locate package libsas12-2
E: Unable to locate package libsas12-modules
E: Unable to locate package libsas12-modules-sql
E: Unable to locate package sas12-bin

and i can't continue from there because i need SQL to be installed

i'm a newby, how do i check if its been installed and if its running?

(up until here i followed your tutorial exactly [excluding hostname / domainname / username / repositories] and its worked!)


From: Anonymous at: 2011-05-20 21:54:08

It's not libsas1 but libsasl with the L not the 1

From: at: 2011-05-18 10:08:13

For the new version of the JailKit, change the following. This fixes the following:

Jailkit 2.14 fixes a infinite loop in jk_cp and jk_init if ldd output for some reason contains two slashes (//lib/ Furthermore, jk_chrootsh can now be called as 'su'

cd /tmp
tar xvfz jailkit-2.14.tar.gz
cd jailkit-2.14
./debian/rules binary
cd ..
dpkg -i jailkit_2.14-1_*.deb
rm -rf jailkit-2.14*

From: Steboo at: 2011-05-27 14:22:36

Don´t forget to install the libfam0 or libgamin0 if you want to use the IMAP-Server.


From: lenz at: 2011-06-09 08:52:22

To prevent filesystem error like this:

"IMAP server information: Filesystem notification initialization error -- contact your mail administrator (check for configuration errors with the FAM/Gamin library)"

install gamin:

apt-get install gamin

( )

From: Ed at: 2011-09-19 19:17:55


I can't get past step 10 - I receive an "Abort." on the terminal screen when I enter "Y" to continue with the installation of the packages.

This is a amd 64 bit system that came pre-configured with debian squeeze 64 bit for amd64, but with nothing else, I think.

Why would I receive that Abort by the system when trying to install the packages in step 10?

Thanks for any help - I am new with 64 bit debian and squeze.



From: Ed at: 2011-09-20 09:36:40


I solved this problem by using aptitude instead of apt-get

IBM machine with Opteron 2218  squeeze amd64

From: at: 2011-10-24 20:43:16

Are you getting pthread errors? For example, it might complain that pthread is not found:

jk_socketd.c:(.text+0xa94): undefined reference to `pthread_create'

If so, try this solution:

LIBS=-pthread ./debian/rules binary

From: Anonymous at: 2012-01-06 22:31:39

When I try the following command (from the guide) I get an error:

 ./debian/rules binary


checking whether we are cross compiling... configure: error: in `/tmp/jailkit-2.13':
configure: error: cannot run C compiled programs.
If you meant to cross compile, use `--host'.
See `config.log' for more details.
make: *** [config.status] Error 1

 I have checked so "gcc is already the newest version." and libpq5 is installed.
Why cant my debian make this compilation?

From: bjarne at: 2012-02-28 16:25:14

By default the SSL certificates for IMAP and POP3 has a lifetime of 1 year. It is possible to change this by editing mkimapdcert and mkpop3dcert scripts directly:
vi /usr/sbin/mkimapdcert
vi /usr/sbin/mkpop3dcert

#look for line /usr/bin/openssl req -new -x509 -days 365 -nodes \

Remove the old certficates and run mkimapdcert and mkpop3dcert again

From: pallermo at: 2012-08-03 07:59:10

Hmm...I am getting this kind of message (error) when I try  "quotacheck -avugm"

 quotacheck: Cannot find filesystem to check or filesystem not mounted with quota option.

Eveything is ql but only this is the problem.  

 fstab is next:

proc /proc proc defaults 0 0

none /dev/pts devpts gid=5,mode=620 0 0

/dev/md0 none swap sw 0 0

/dev/md1 /boot ext3 defaults 0 0

/dev/md2 / ext4 defaults 0 0 errors=remount-ro,usrjquota=aquota.user,,jqfmt=vfsv0 0       1

From: Rifqi Kennedy at: 2013-03-06 05:06:18

i can't install vim-nox, because this packets there isn't, how about that ??

From: at: 2011-10-29 02:17:34

For fail2ban and SASL read Debian bug #507990, it's important:

From: bandie at: 2012-02-10 13:30:03

May I ask, How to regenerate all apache vhost config files at once? I have 4000 sites maintaned by ISPConfig and vhost template modified.

From: gibbo at: 2012-03-18 14:06:35


This has been a brilliant tutorial and i ve got my server working because of it, may i just ask how i know what my username and password would be for squirrel Mail Please, im ok with ispconfig but no idea what my password and username would be for the squirrelmail screen above

 Many Thanks

From: Marto at: 2011-02-21 12:59:35

my probelm with not work but download file
edit / etc/apache2/mods-enabled/suphp.conf
comment out this section:

# <Directory /usr/share>
# SuPHP_Engine off
# </ Directory>

/ etc/init.d/apache2 restart

edit / etc/apache2/mods-enabled/suphp.conf
uncomment those lines

<Directory /usr/share>
suPHP_Engine off
</ Directory>

a2dismod suphp
/ etc/init.d/apache2 restart

From: at: 2011-02-23 15:14:23

Hi ; put the solution the Marto, is not funtionally, but , if install CMS , example joomla, 

 the error is if install any component appear "error 500 internal error"

 any solution for this solution?

From: Anonymous at: 2011-04-01 20:41:32

Thx, very great Tutorial

From: Mindscape at: 2011-05-02 21:20:44

It works great but i cant send emails. I always get the error Sender address rejected: not logged in.

From: Axel at: 2011-05-19 12:06:01

same here :(

From: Enes Mujovi at: 2011-11-16 03:54:30


From: at: 2012-03-20 13:07:42

Edit your /etc/vz/conf/<<VZID>>.conf

(Check if it´s on another place i´m using proxmox then on pmox the file is located on this place)

 Check if CAPABILITY line exists. if not copy the line below and put it on your container config.

#Extras Ispconfig3

From: MyName at: 2012-02-07 10:08:35

Hi there,

No troubles at all! All steps on all the pages worked perfectly! 
Thank you for taking the effort to create this manual!


Marcel / Get IT Service

From: pallermo at: 2012-08-03 08:18:19

Hi guys, this is so great tutorial! Till now I had small problem with quota but now I saw another issue with ftp server. Everything is working correctly (I mean on FTP) but when I access to a folder I can easily go up in upper foler from my home directory. At this way I can come to / and to read eveything. (I can't delete but never mind). My home dir for ftp is example: /var/www/clients/client1/web3/ftp - so I can enter to /var/www/clients/client1/web3/ in reverse till root folder / :)

Does anybody know how to block this? PureFTPD doesn't have configuration file, it has run options. Maybe somebody faced also with this kind of problem.




From: Adrian at: 2012-08-08 23:15:54

I have big problems with dns...

 root@server1:/nslookup localhost
;; Got SERVFAIL reply from, trying next server


 Pls help..

From: at: 2013-03-23 16:40:52

Hi Falko,

In my opinion this is the best tutorial for installing ISPConfig 3.  I refer to this time and time again. The amount of detail you put into this is greatly appreciated.

Great!  Thank you...


From: Yvanoph at: 2013-06-28 18:40:15

Hi there, use this few times and was well workin, till six months ago, last time in fact I used !

But today, "php -q install.php" is not working ans send me "bash" : php

Deleted all, ask since beginning, but I have every time the same answer !

I bought book about how to use ISPConfig3 at  their Site .org, but unfortunately, nothing explained about to how to put in place ? ? ?

So, something changed ?

Kind regards, Yvanoph---


P.S. Sorry for my poor English, I don't use every day to write since may 30 years...