The Perfect Server - Fedora 10 [ISPConfig 3] - Page 6

20 Install Jailkit

Jailkit is needed only if you want to chroot SSH users. It can be installed as follows (important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!):

cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.5.tar.gz
tar xvfz jailkit-2.5.tar.gz
cd jailkit-2.5
./configure
make
make install
rm -rf jailkit-2.5*

 

21 Install fail2ban

This is optional but recommended, because the ISPConfig monitor tries to show the log:

yum install fail2ban

chkconfig --levels 235 fail2ban on
/etc/init.d/fail2ban start

 

22 Install rkhunter

rkhunter can be installed as follows:

yum install rkhunter

 

23 Install SquirrelMail

To install the SquirrelMail webmail client, run...

yum install squirrelmail

... and restart Apache:

/etc/init.d/httpd restart

Then configure SquirrelMail:

/usr/share/squirrelmail/config/conf.pl

We must tell SquirrelMail that we are using Courier-IMAP/-POP3:

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  Themes
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Languages

D.  Set pre-defined settings for specific IMAP servers

C   Turn color off
S   Save data
Q   Quit

Command >>
 <-- D


SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others.  If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct.  This does not change everything.  There are
only a few settings that this will change.

Please select your IMAP server:
    bincimap    = Binc IMAP server
    courier     = Courier IMAP server
    cyrus       = Cyrus IMAP server
    dovecot     = Dovecot Secure IMAP server
    exchange    = Microsoft Exchange IMAP server
    hmailserver = hMailServer
    macosx      = Mac OS X Mailserver
    mercury32   = Mercury/32
    uw          = University of Washington's IMAP server

    quit        = Do not change anything
Command >>
 <-- courier


SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others.  If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct.  This does not change everything.  There are
only a few settings that this will change.

Please select your IMAP server:
    bincimap    = Binc IMAP server
    courier     = Courier IMAP server
    cyrus       = Cyrus IMAP server
    dovecot     = Dovecot Secure IMAP server
    exchange    = Microsoft Exchange IMAP server
    hmailserver = hMailServer
    macosx      = Mac OS X Mailserver
    mercury32   = Mercury/32
    uw          = University of Washington's IMAP server

    quit        = Do not change anything
Command >> courier

              imap_server_type = courier
         default_folder_prefix = INBOX.
                  trash_folder = Trash
                   sent_folder = Sent
                  draft_folder = Drafts
            show_prefix_option = false
          default_sub_of_inbox = false
show_contain_subfolders_option = false
            optional_delimiter = .
                 delete_folder = true

Press any key to continue...
<-- press a key


SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  Themes
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Languages

D.  Set pre-defined settings for specific IMAP servers

C   Turn color off
S   Save data
Q   Quit

Command >>
 <--S


SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  Themes
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Languages

D.  Set pre-defined settings for specific IMAP servers

C   Turn color off
S   Save data
Q   Quit

Command >>
 <--Q

One last thing we need to do is modify the file /etc/squirrelmail/config_local.php and comment out the $default_folder_prefix variable - if you don't do this, you will see the following error message in SquirrelMail after you've logged in: Query: CREATE "Sent" Reason Given: Invalid mailbox name.

vi /etc/squirrelmail/config_local.php

<?php
/**
 * Local config overrides.
 *
 * You can override the config.php settings here.
 * Don't do it unless you know what you're doing.
 * Use standard PHP syntax, see config.php for examples.
 *
 * @copyright &copy; 2002-2006 The SquirrelMail Project Team
 * @license http://opensource.org/licenses/gpl-license.php GNU Public License
 * @version $Id: config_local.php,v 1.2 2006/07/11 03:33:47 wtogami Exp $
 * @package squirrelmail
 * @subpackage config
 */
//$default_folder_prefix                = '';
?>

Now you can type in http://server1.example.com/webmail or http://192.168.0.100/webmail in your browser to access SquirrelMail.

 

24 Install ISPConfig 3

Uninstall BIND and Dovecot so that the ISPConfig installer configures ISPConfig for MyDNS and Courier:

yum remove bind dovecot

To install ISPConfig 3 from the latest released version, do this:

cd /tmp
wget http://downloads.sourceforge.net/ispconfig/ISPConfig-3.0.1.tar.gz?use_mirror=
tar xvfz ISPConfig-3.0.1.tar.gz
cd ispconfig3_install/install/

(Replace ISPConfig-3.0.1.tar.gz with the latest version.)

The next step is to run

php -q install.php

This will start the ISPConfig 3 installer:

[root@server1 install]# php -q install.php


--------------------------------------------------------------------------------
 _____ ___________   _____              __ _
|_   _/  ___| ___ \ /  __ \            / _(_)
  | | \ `--.| |_/ / | /  \/ ___  _ __ | |_ _  __ _
  | |  `--. \  __/  | |    / _ \| '_ \|  _| |/ _` |
 _| |_/\__/ / |     | \__/\ (_) | | | | | | | (_| |
 \___/\____/\_|      \____/\___/|_| |_|_| |_|\__, |
                                              __/ |
                                             |___/
--------------------------------------------------------------------------------


>> Initial configuration

Operating System: Fedora 10 or compatible

    Following will be a few questions for primary configuration so be careful.
    Default values are in [brackets] and can be accepted with <ENTER>.
    Tap in "quit" (without the quotes) to stop the installer.


Select language (en,de) [en]:
 <-- ENTER

Installation mode (standard,expert) [standard]: <-- ENTER

Full qualified hostname (FQDN) of the server, eg server1.domain.tld  [server1.example.com]: <-- ENTER

MySQL server hostname [localhost]: <-- ENTER

MySQL root username [root]: <-- ENTER

MySQL root password []: <-- yourrootsqlpassword

MySQL database to create [dbispconfig]: <-- ENTER

MySQL charset [utf8]: <-- ENTER

Generating a 2048 bit RSA private key
..............................+++
..........................................+++
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
 <-- ENTER
State or Province Name (full name) [Berkshire]: <-- ENTER
Locality Name (eg, city) [Newbury]: <-- ENTER
Organization Name (eg, company) [My Company Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (eg, your name or your server's hostname) []: <-- ENTER
Email Address []: <-- ENTER
Configuring Jailkit
Configuring SASL
Configuring PAM
Configuring Courier
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring Pureftpd
Configuring MyDNS
Configuring Apache
Configuring Firewall
Installing ISPConfig
ISPConfig Port [8080]:
 <-- ENTER

Configuring DBServer
Installing Crontab
no crontab for root
no crontab for getmail
Restarting services ...
Stopping MySQL:                                            [  OK  ]
Starting MySQL:                                            [  OK  ]
Shutting down postfix:                                     [  OK  ]
Starting postfix:                                          [  OK  ]
Stopping saslauthd:                                        [  OK  ]
Starting saslauthd:                                        [  OK  ]
Waiting for the process [1788] to terminate
Daemon [1788] terminated by SIGTERM
Shutting down amavisd:                                     [  OK  ]
amavisd stopped
Starting amavisd:                                          [  OK  ]

Stopping clamd.amavisd:                                    [  OK  ]
Starting clamd.amavisd:                                    [  OK  ]
Stopping Courier authentication services: authdaemond
Starting Courier authentication services: authdaemond
Stopping Courier-IMAP server: imap imap-ssl pop3 pop3-ssl
Starting Courier-IMAP server: imap imap-ssl pop3 pop3-ssl
Stopping Courier-IMAP server: imap imap-ssl pop3 pop3-ssl
Starting Courier-IMAP server: imap imap-ssl pop3 pop3-ssl
Stopping Courier-IMAP server: imap imap-ssl pop3 pop3-ssl
Starting Courier-IMAP server: imap imap-ssl pop3 pop3-ssl
Stopping Courier-IMAP server: imap imap-ssl pop3 pop3-ssl
Starting Courier-IMAP server: imap imap-ssl pop3 pop3-ssl
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
Stopping pure-ftpd:                                        [  OK  ]
Starting pure-ftpd:                                        [  OK  ]
Installation completed.
[root@server1 install]#

The installer automatically configures all underlying services, so no manual configuration is needed.

Afterwards you can access ISPConfig 3 under http://server1.example.com:8080/ or http://192.168.0.100:8080/. Log in with the username admin and the password admin (you should change the default password after your first login):

The system is now ready to be used.

 

24.1 ISPConfig 3 Manual

 

25 Links

Share this page:

8 Comment(s)

Add comment

Comments

From: at: 2009-04-18 09:18:37

Make shure alle softwareupdates and fixes are done before installing ISPConfig 3 at the end.

I've had some trouble with the fc10 recommended Postfix update (2.2.5.6-1). After the update the config for Postfix is wrong.

Also, MyDNS is available in a more recent version (1.2.8.25) where the .conf setup is slightly different (but file is at the same location)

From: G. Lohmann at: 2009-05-06 20:24:25

First of all, thanks for the work and the great HowTo for that!

However some remarks:

- 6 Disable SELinux

NOPE ... don't give this as the best advice, especially as some people may run in a virtual server environment where they could not disable it at all. I know the first confrontation with SELinux is harsh and filled with a lot of warnings and errors but it is easy to get around that.

For example:

If you have you freshly install ISPConfig and it is up and running, you may get a lot of warnings about vlogger. It will even not work as expected. The warning:

... vlogger has no access to potential wrong marked files (./localhost.localdomain) ...

sound a bit cryptic but fact is that vlogger can not write to the logging directory to write to e.g. 'localhost.localdomain-access.log', as there are rights missing.

if you do:

/var/log# ls -alZ
drwx------  root      root   system_u:object_r:httpd_log_t:s0 httpd
drwxr-xr-x  root      root   unconfined_u:object_r:var_log_t:s0 ispconfig

The entry for the user 'unconfined_u' (nobody) and for the type 'var_log_t' (inherited logging type) is already not that good. Reason is that it is a perl script like a CGI, called by apache and running with the user rights of httpd and therefore is restricted to write to that folder. As we can see for the log folder of httpd has already a different type 'httpd_log_t'.

But two single lines for changing this control settings already solve all your warnings and errors with vlogger:

/var/log# chcon -R -u system_u ispconfig
/var/log# chcon -R -t httpd_sys_script_rw_t ispconfig

The type 'httpd_sys_script_rw_t' is telling SELinux that scripts called by apache are allowed to (r)ead and (w)rite to that folder.

The example above is the most common reason for errors. That specific programs or scripts called by them and do not have write or read access to unknown folders or files that may even not belong to them.

ISPConfig should not disable but benefit from those rights as it for example would allow to 'jail' Client configurations into their own environment by defining own types for each single Client.

I am even still a beginner in SELinux, but if I find some time I will try to write a list of needed control settings to get ISPConfig completely running without the need to shutting it down.

From: antoine at: 2009-08-17 22:39:11

make sure you also install:

yum install cyrus-sasl-plain

 else you get errors in mail and it won't work

From: G. Lohmann at: 2009-05-06 20:54:27

about "visudo"

I am not a geek with sudo but if I run visudo it already write:

## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.

Which would mean that:

compileuser ALL=(ALL) ALL

will probably give away all the same rights to this user as like root himself, making a second root user that even not need to type the root password. If that is true I not need sudo at all but can directly act as root. Moreover I created a potential security lack!

Fact is, except of installing an rpm package to the system I normaly not need root rights at all. A default user in Fedora can run tools like 'make', 'gcc', 'rpmbuild' and even 'rpm -Uvh my_package.src.rpm' without any additional rights.

For installing a single package it should be sufficient enough to to a

# su -c 'rpm -Uvh my_package.rpm'

which would ask me for the root password before installing but should not hurt for that single file. If you already work anyway as a root user we can do the install directly and not need to bother about sudo, but then the question is why I use sudo at all.

Also a good idea might be to use on fedora

# yum localinstall my_package.rpm

which does the same as the rpm install but keep track of the package in yum and as well install dependency if necessary.

From: Martin at: 2014-07-01 11:32:41

I tried to install it on CentOS 6.5 but unsuccesfull. I installed
courier-unicode-1.1.tar.bz2 and then I tried to install
courier-authlib-0.66.1.20140114.tar.bz2 but not well.
I got error: 
"The Courier Unicode Library appears not to be installed. You may need to
install a separate development subpackage, in addition to the main package
error: Bad exit status from /var/tmp/rpm-tmp.LecCXX (%prep)". 
 
I don´t know what I can do for now because unicode devel I installed succesfull but still
is missing. Could somebody help me, please?

From: Anonymous at: 2009-04-14 12:06:46

The MyDNS software does not work with this install, the software will not start at boot due to setup problem.

Check http://mydns.bboy.net/ for the solution!

From: klerik at: 2009-08-13 15:32:06

Thanks for this howto ...

From: incubus at: 2009-08-30 14:43:23

Thanks - a very nice how to - it worked perfect!!!