The Perfect Server - Debian Squeeze (Debian 6.0) With BIND & Dovecot [ISPConfig 3] - Page 4

10 Install Postfix, Dovecot, Saslauthd, MySQL, phpMyAdmin, rkhunter, binutils

We can install Postfix, Dovecot, Saslauthd, MySQL, phpMyAdmin, rkhunter, and binutils with a single command:

apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d sudo

You will be asked the following questions:

General type of mail configuration: <-- Internet Site
System mail name: <--
New password for the MySQL "root" user: <-- yourrootsqlpassword
Repeat password for the MySQL "root" user: <-- yourrootsqlpassword

Next open the TLS/SSL and submission ports in Postfix:

vi /etc/postfix/

Uncomment the submission and smtps sections (leave -o milter_macro_daemon_name=ORIGINATING as we don't need it):

submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

Restart Postfix afterwards:

/etc/init.d/postfix restart

We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address =

vi /etc/mysql/my.cnf

# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           =

Then we restart MySQL:

/etc/init.d/mysql restart

Now check that networking is enabled. Run

netstat -tap | grep mysql

The output should look like this:

root@server1:~# netstat -tap | grep mysql
tcp        0      0 *:mysql                 *:*                     LISTEN      10617/mysqld


11 Install Amavisd-new, SpamAssassin, And Clamav

To install amavisd-new, SpamAssassin, and ClamAV, we run

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl

The ISPConfig 3 setup uses amavisd which loads the SpamAssassin filter library internally, so we can stop SpamAssassin to free up some RAM:

/etc/init.d/spamassassin stop
update-rc.d -f spamassassin remove


12 Install Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, And mcrypt

Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, and mcrypt can be installed as follows:

apt-get install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-curl php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-ruby libapache2-mod-python libapache2-mod-perl2

You will see the following questions:

Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No

Then run the following command to enable the Apache modules suexec, rewrite, ssl, actions, and include (plus dav, dav_fs, and auth_digest if you want to use WebDAV):

a2enmod suexec rewrite ssl actions include
a2enmod dav_fs dav auth_digest

Restart Apache afterwards:

/etc/init.d/apache2 restart


13 Install PureFTPd And Quota

PureFTPd and quota can be installed with the following command:

apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool

Edit the file /etc/default/pure-ftpd-common...

vi /etc/default/pure-ftpd-common

... and make sure the start mode is set to standalone and set VIRTUALCHROOT=true:


Edit the file /etc/inetd.conf to prevent inetd from trying to start ftp:

vi /etc/inetd.conf

If there is a line beginning withftp stream tcp, comment it out (if there's no such file, then that is fine, and you don't have to modify /etc/inetd.conf):

#:STANDARD: These are standard services.
#ftp    stream  tcp     nowait  root    /usr/sbin/tcpd /usr/sbin/pure-ftpd-wrapper

If you had to modify /etc/inetd.conf, restart inetd now:

/etc/init.d/openbsd-inetd restart

Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure.

If you want to allow FTP and TLS sessions, run

echo 1 > /etc/pure-ftpd/conf/TLS

In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:

mkdir -p /etc/ssl/private/

Afterwards, we can generate the SSL certificate as follows:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]:
<-- Enter your State or Province Name.
Locality Name (eg, city) []:
<-- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
<-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []:
<-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []:
<-- Enter the Fully Qualified Domain Name of the system (e.g. "").
Email Address []:
<-- Enter your Email Address.

Change the permissions of the SSL certificate:

chmod 600 /etc/ssl/private/pure-ftpd.pem

Then restart PureFTPd:

/etc/init.d/pure-ftpd-mysql restart

Edit /etc/fstab. Mine looks like this (I added ,usrjquota=aquota.user,,jqfmt=vfsv0 to the partition with the mount point /):

vi /etc/fstab

# /etc/fstab: static file system information.
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0
# / was on /dev/sda1 during installation
UUID=92bceda2-5ae4-4e3a-8748-b14da48fb297 /               ext3    errors=remount-ro,usrjquota=aquota.user,,jqfmt=vfsv0 0       1
# swap was on /dev/sda5 during installation
UUID=e24b3e9e-095c-4b49-af27-6363a4b7d094 none            swap    sw              0       0
/dev/scd0       /media/cdrom0   udf,iso9660 user,noauto     0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto  0       0

To enable quota, run these commands:

mount -o remount /

quotacheck -avugm
quotaon -avug


14 Install BIND DNS Server

BIND can be installed as follows:

apt-get install bind9 dnsutils


15 Install Vlogger, Webalizer, And AWstats

Vlogger, webalizer, and AWstats can be installed as follows:

apt-get install vlogger webalizer awstats geoip-database

Open /etc/cron.d/awstats afterwards...

vi /etc/cron.d/awstats

... and comment out both cron jobs in that file:

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/ ] && /usr/share/awstats/tools/
# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/ ] && /usr/share/awstats/tools/


16 Install Jailkit

Jailkit is needed only if you want to chroot SSH users. It can be installed as follows (important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!):

apt-get install build-essential autoconf automake1.9 libtool flex bison debhelper

cd /tmp
tar xvfz jailkit-2.14.tar.gz
cd jailkit-2.14
./debian/rules binary
cd ..
dpkg -i jailkit_2.14-1_*.deb
rm -rf jailkit-2.14*

Share this page:

31 Comment(s)

Add comment


From: Rasmus at: 2012-04-14 11:46:43

Great tutorial, thanks!
I followed it, except using Ubuntu 11.10, and when I was done the package dovecot-mysql was missing - resulting in not being able to login to dovecot. Just a heads ups if anyone else have that problem.

Thanks again.

From: Dr. Yves Kreis at: 2012-10-15 15:01:12
From: Dr. Yves Kreis at: 2012-10-15 15:26:54

For Ubuntu 11.10 follow the following tutorial:

From: Dr. Yves Kreis at: 2012-10-28 09:43:16

Even a newer one is available by now:

From: Ahmad at: 2012-07-29 07:42:24

Just feel to share the new link for downloading debian iso image cd, the above link i s not working.

for 32 bit pc:

 and for 64 bit pc:


hope this helps.


From: Dr. Yves Kreis at: 2012-10-15 14:58:28

Better check under where you always get the latest one...

From: Anonymous at: 2012-07-28 15:31:50

deb squeeze main

From: Rothbard at: 2013-03-05 09:20:49

This script will install all of the necessary programs and changes that need to be made to get ISPConfig running successfully. It uses the Perfect Server guide from Falko Timme as the guide. If you would like, you can manually install all of the things needed using the guides that he has provided. I am just trying to streamline the process.

From: at: 2012-04-05 16:05:31

I got some warnings while installing Jailkit

insserv: warning: script 'K01jailkit' missing LSB tags and overrides
insserv: warning: script 'jailkit' missing LSB tags and overrides

so i added the the init.d-config-comment to /etc/init.d/jailkit
# Provides:          jailkit
# Required-Start:    $syslog
# Required-Stop:     $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: jailkit init
# Description:


From: Imam86 at: 2012-08-01 00:51:58

07-06-2012: Jailkit 2.15 released

They resolved the issues:

insserv: warning: script 'K01jailkit' missing LSB tags and overrides
insserv: warning: script 'jailkit' missing LSB tags and overrides

So the revision:

cd /tmp
tar xvfz jailkit-2.15.tar.gz
cd jailkit-2.15
./debian/rules binary

cd ..
dpkg -i jailkit_2.15-1_*.deb
rm -rf jailkit-2.15*

From: bikercho at: 2012-05-25 17:28:10

To enable quota, run these commands:

touch /aquota.user /
chmod 600 /aquota.*

mount -o remount /

From: Dr. Yves Kreis at: 2012-10-15 15:07:13

This command quotacheck -avugm creates the two files. Thus you do not need to create them on your own...

From: contrail at: 2012-07-26 00:54:33

System set up on a VPS. Could not send email. The default setting,  for inet_interfaces in the config file  in   /etc/postfix/   is   loopback-only.   In order to use the server as an outgoing email server set the line to,  inet_interfaces = all       then restart server.


From: Dr. Yves Kreis at: 2012-10-15 14:56:18

The default setting on Debian Squeeze is already inet_interfaces = all!

From: Anonymous at: 2012-09-04 14:05:24

You may also need to add dovecot-mysql to your apt-get list.

From: Dr. Yves Kreis at: 2012-10-15 14:54:08

There is no package dovecot-mysql in Debian Squeeze!

From: Dr. Yves Kreis at: 2012-10-28 19:03:54

Also check chapter 14 of Ubuntu 12.10 The Perfect Server for additional information regarding Apache & php (especially with ISPConfig 3.0.5 which will be released soon):

From: Anonymous at: 2012-12-06 19:03:35

In Debian 6;

You'll run into AUTH problems if you uncomment ( -o smtpd_tls_security_level=encrypt) if you follow the instructions (force TLS). It should be as follows:

In: /etc/postfix/

smtp      inet  n       -       -       -       -       smtpd
submission inet n       -       -       -       -       smtpd
#  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

From: Anonymous at: 2012-12-20 04:56:28

(Install on Wheezy/Debian 7)
Also had to install this:
apt-get install dovecot-mysql dovecot-sieve

Otherwise /var/log/mailerr had lines like this:
dovecot: auth: Fatal: Unknown database driver 'mysql'
dovecot: lda: Fatal: Plugin 'sieve' not found from directory /usr/lib/dovecot/modules

From: Aleksandar at: 2013-02-10 18:04:03

On my installation phpmyadmin wasn't accessible from url so i used method similar as you explained on last chapter how to add squirrelmail to link phpmyadmin to apache


 cd /etc/apache2/conf.d/
ln -s ../../phpmyadmin/apache.conf phpmyadmin.conf
/etc/init.d/apache2 reload

 phpmyadmin.conf was already configured so i just needed to link it.

From: suther at: 2013-05-06 19:02:05

Why you use open Ports for Mysql. I only allow it from localhost, or if a user has ssh-access, he can tunnel mysql to local port.

With gSTM on linux its easy like 1 2 3



From: suther at: 2013-05-06 19:47:43

On my Proxmox VM, i only have one comment in fstab:


Even if i activate Quota for Proxmox-system like this: 7

vzctl set 101 --quotaugidlimit 100 --save

vzctl restart 101

fstab is still empty. How can i got quotas installed?

From: contrail at: 2012-06-25 11:17:05

In the file   jail.local

 filter = pureftpd       should be     filter = pure-ftpd   

else  fail2ban ..fails to start 


From: Dr. Yves Kreis at: 2012-10-15 16:34:49

Only if you want to use the default file contained in the Debian package. If you want to use the file created in this tutorial, then filter = pureftpd is correct.

From: at: 2012-08-13 00:10:59


This is very basic but important to you, and for your hosting account later to play with php script

After install and configure SquirrelMail, go to http://your_ip/webmail/src/configtest.php


And you will see:

ERROR: You have configured PHP not to allow short tags (short_open_tag=off). This shouldn't be a problem with SquirrelMail or any plugin coded coded according to the SquirrelMail Coding Guidelines, but if you experience problems with PHP code being displayed in some of the pages and changing setting to "on" solves the problem, please file a bug report against the failing plugin. The correct contact information is most likely to be found in the plugin documentation.


So please change the php configuration at these two files:




Find and change the value of short_open_tag from Off to On



For more information, you can check here:

It's a basic php configuration, but might be the one of problems with people that use SquirreMail. 

From: Dr. Yves Kreis at: 2012-10-15 16:46:36

By default short_open_tag is set to On in both php.ini files you mention...

From: hesar at: 2011-11-16 07:30:48

Great job - precise thx for this article

From: Mika Nieminen at: 2011-12-13 20:49:06

# this text at the end off the squirrelmail.conf file made squirrelmail a bit more secure

<Directory /usr/share/squirrelmail/*>
  Deny from all
<Directory /usr/share/squirrelmail/images>
  Allow from all
<Directory /usr/share/squirrelmail/plugins>
  Allow from all
<Directory /usr/share/squirrelmail/src>
  Allow from all
<Directory /usr/share/squirrelmail/templates>
  Allow from all
<Directory /usr/share/squirrelmail/themes>
  Allow from all
<Directory /usr/share/squirrelmail/contrib>
  Order Deny,Allow
  Deny from All
  Allow from 127
  Allow from 10
  Allow from 192
<Directory /usr/share/squirrelmail/doc>
  Order Deny,Allow
  Deny from All
  Allow from 127
  Allow from 10
  Allow from 192

From: Anonymous at: 2012-12-20 04:52:27

(Install on Wheezy/Debian 7)
Also had to install:
apt-get install quota quotatool

Otherwise /var/log/ispconfig/cron.log had lines like this:
sh: repquota: command not found

From: rann at: 2013-01-21 18:20:15

Followed your Perfect Server guide for Squeeze and it went perfectly, except for the squirrelmail part. I followed this and got it working, but it's still not working for HTTPS.

Any ideas as to why?

From: at: 2013-04-21 07:34:41

Very good Job!! Thanks!!