The Perfect Server - Ubuntu 11.10 [ISPConfig 3] - Page 3

19 Install fail2ban

This is optional but recommended, because the ISPConfig monitor tries to show the fail2ban log:

apt-get install fail2ban

To make fail2ban monitor PureFTPd, SASL, and Courier, create the file /etc/fail2ban/jail.local:

vi /etc/fail2ban/jail.local

[pureftpd]
enabled  = true
port     = ftp
filter   = pureftpd
logpath  = /var/log/syslog
maxretry = 3

[sasl]
enabled  = true
port     = smtp
filter   = sasl
logpath  = /var/log/mail.log
maxretry = 5

[courierpop3]
enabled  = true
port     = pop3
filter   = courierpop3
logpath  = /var/log/mail.log
maxretry = 5

[courierpop3s]
enabled  = true
port     = pop3s
filter   = courierpop3s
logpath  = /var/log/mail.log
maxretry = 5

[courierimap]
enabled  = true
port     = imap2
filter   = courierimap
logpath  = /var/log/mail.log
maxretry = 5

[courierimaps]
enabled  = true
port     = imaps
filter   = courierimaps
logpath  = /var/log/mail.log
maxretry = 5

Then create the following five filter files:

vi /etc/fail2ban/filter.d/pureftpd.conf

[Definition]
failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.*
ignoreregex =

vi /etc/fail2ban/filter.d/courierpop3.conf

# Fail2Ban configuration file
#
# $Revision: 100 $
#
[Definition]
# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = pop3d: LOGIN FAILED.*ip=\[.*:<HOST>\]
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

vi /etc/fail2ban/filter.d/courierpop3s.conf

# Fail2Ban configuration file
#
# $Revision: 100 $
#
[Definition]
# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = pop3d-ssl: LOGIN FAILED.*ip=\[.*:<HOST>\]
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

vi /etc/fail2ban/filter.d/courierimap.conf

# Fail2Ban configuration file
#
# $Revision: 100 $
#
[Definition]
# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\]
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

vi /etc/fail2ban/filter.d/courierimaps.conf

# Fail2Ban configuration file
#
# $Revision: 100 $
#
[Definition]
# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = imapd-ssl: LOGIN FAILED.*ip=\[.*:<HOST>\]
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Restart fail2ban afterwards:

/etc/init.d/fail2ban restart

 

20 Install SquirrelMail

To install the SquirrelMail webmail client, run

apt-get install squirrelmail

Then configure SquirrelMail:

squirrelmail-configure

We must tell SquirrelMail that we are using Courier-IMAP/-POP3:

SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  Themes
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Languages

D.  Set pre-defined settings for specific IMAP servers

C   Turn color on
S   Save data
Q   Quit

Command >>
 <-- D


SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others.  If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct.  This does not change everything.  There are
only a few settings that this will change.

Please select your IMAP server:
    bincimap    = Binc IMAP server
    courier     = Courier IMAP server
    cyrus       = Cyrus IMAP server
    dovecot     = Dovecot Secure IMAP server
    exchange    = Microsoft Exchange IMAP server
    hmailserver = hMailServer
    macosx      = Mac OS X Mailserver
    mercury32   = Mercury/32
    uw          = University of Washington's IMAP server
    gmail       = IMAP access to Google mail (Gmail) accounts

    quit        = Do not change anything
Command >>
 <-- courier


SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others.  If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct.  This does not change everything.  There are
only a few settings that this will change.

Please select your IMAP server:
    bincimap    = Binc IMAP server
    courier     = Courier IMAP server
    cyrus       = Cyrus IMAP server
    dovecot     = Dovecot Secure IMAP server
    exchange    = Microsoft Exchange IMAP server
    hmailserver = hMailServer
    macosx      = Mac OS X Mailserver
    mercury32   = Mercury/32
    uw          = University of Washington's IMAP server

    quit        = Do not change anything
Command >> courier

              imap_server_type = courier
         default_folder_prefix = INBOX.
                  trash_folder = Trash
                   sent_folder = Sent
                  draft_folder = Drafts
            show_prefix_option = false
          default_sub_of_inbox = false
show_contain_subfolders_option = false
            optional_delimiter = .
                 delete_folder = true

Press any key to continue...
 <-- ENTER


SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  Themes
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Languages

D.  Set pre-defined settings for specific IMAP servers

C   Turn color on
S   Save data
Q   Quit

Command >>
 <-- S


SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  Themes
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Languages

D.  Set pre-defined settings for specific IMAP servers

C   Turn color on
S   Save data
Q   Quit

Command >> S

Data saved in config.php
Press enter to continue...
 <-- ENTER


SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  Themes
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Languages

D.  Set pre-defined settings for specific IMAP servers

C   Turn color on
S   Save data
Q   Quit

Command >>
 <-- Q

Now we will configure SquirrelMail so that you can use it from within your web sites (created through ISPConfig) by using the /squirrelmail or /webmail aliases. So if your website is www.example.com, you will be able to access SquirrelMail using www.example.com/squirrelmail or www.example.com/webmail.

SquirrelMail's Apache configuration is in the file /etc/squirrelmail/apache.conf, but this file isn't loaded by Apache because it is not in the /etc/apache2/conf.d/ directory. Therefore we create a symlink called squirrelmail.conf in the /etc/apache2/conf.d/ directory that points to /etc/squirrelmail/apache.conf and reload Apache afterwards:

cd /etc/apache2/conf.d/
ln -s ../../squirrelmail/apache.conf squirrelmail.conf
/etc/init.d/apache2 reload

Now open /etc/apache2/conf.d/squirrelmail.conf...

vi /etc/apache2/conf.d/squirrelmail.conf

... and add the following lines to the <Directory /usr/share/squirrelmail></Directory> container that make sure that mod_php is used for accessing SquirrelMail, regardless of what PHP mode you select for your website in ISPConfig:

[...]
<Directory /usr/share/squirrelmail>
  Options FollowSymLinks
  <IfModule mod_php5.c>
    AddType application/x-httpd-php .php
    php_flag magic_quotes_gpc Off
    php_flag track_vars On
    php_admin_flag allow_url_fopen Off
    php_value include_path .
    php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
    php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostname:/etc/mailname:/var/spool/squirrelmail
    php_flag register_globals off
  </IfModule>
  <IfModule mod_dir.c>
    DirectoryIndex index.php
  </IfModule>
  # access to configtest is limited by default to prevent information leak
  <Files configtest.php>
    order deny,allow
    deny from all
    allow from 127.0.0.1
  </Files>
</Directory>
[...]

Create the directory /var/lib/squirrelmail/tmp...

mkdir /var/lib/squirrelmail/tmp

... and make it owned by the user www-data:

chown www-data /var/lib/squirrelmail/tmp

Reload Apache again:

/etc/init.d/apache2 reload

That's it already - /etc/apache2/conf.d/squirrelmail.conf defines an alias called /squirrelmail that points to SquirrelMail's installation directory /usr/share/squirrelmail.

You can now access SquirrelMail from your web site as follows:

http://192.168.0.100/squirrelmail
http://www.example.com/squirrelmail

You can also access it from the ISPConfig control panel vhost (after you have installed ISPConfig, see the next chapter) as follows (this doesn't need any configuration in ISPConfig):

http://server1.example.com:8080/squirrelmail

If you'd like to use the alias /webmail instead of /squirrelmail, simply open /etc/apache2/conf.d/squirrelmail.conf...

vi /etc/apache2/conf.d/squirrelmail.conf

... and add the line Alias /webmail /usr/share/squirrelmail:

Alias /squirrelmail /usr/share/squirrelmail
Alias /webmail /usr/share/squirrelmail
[...]

Then reload Apache:

/etc/init.d/apache2 reload

Now you can access Squirrelmail as follows:

http://192.168.0.100/webmail
http://www.example.com/webmail
http://server1.example.com:8080/webmail
(after you have installed ISPConfig, see the next chapter)

If you'd like to define a vhost like webmail.example.com where your users can access SquirrelMail, you'd have to add the following vhost configuration to /etc/apache2/conf.d/squirrelmail.conf:

vi /etc/apache2/conf.d/squirrelmail.conf

[...]
<VirtualHost 1.2.3.4:80>
  DocumentRoot /usr/share/squirrelmail
  ServerName webmail.example.com
</VirtualHost>

Make sure you replace 1.2.3.4 with the correct IP address of your server. Of course, there must be a DNS record for webmail.example.com that points to the IP address that you use in the vhost configuration. Also make sure that the vhost webmail.example.com does not exist in ISPConfig (otherwise both vhosts will interfere with each other!).

Now reload Apache...

/etc/init.d/apache2 reload

... and you can access SquirrelMail under http://webmail.example.com!

Share this page:

21 Comment(s)

Add comment

Comments

From: Anonymous at: 2011-10-20 15:55:12

From "man hostname":

 /etc/hostname This file should only contain the hostname and not the full FQDN.

 /etc/hostname This file should only contain the hostname and not the full FQDN.

 

 you mislead people when you say to use:
 echo server1.example.com > /etc/hostname

From: Anonymous at: 2011-11-02 11:12:55

When accusing someone of 'misleading' people, explain why the hostname must not contain the full FQDN.

From: Anonymous at: 2011-11-18 12:07:11

It's not prohibited, just "not recommended".

Usually, you should not question such a "recommendation", some background services might rely on this.

 Just my 2 cts

From: norby at: 2012-07-08 20:19:53

After a long winding road, finally something that actually works!!!!

So many HowTo's and none, except this one, worked for me.

Thanks folks!!!!!

I tried to install this one on a Ubuntu 12.04LTS 64 Bit, wich absolutely didn't work for me.

A big THANK YOU to all that are involved

Cheers

From: Eiside at: 2012-02-21 19:59:36

How can I configure ipsconfig and the server if I want the websites directory on a diferent harddrive.please help me . I just think about it as a security masure

From: at: 2011-10-16 13:08:40

Going through this I get a comment like the following when I run a script in /etc/init.d

 Rather than invoking init scripts through /etc/init.d, use the service(8)

utility, e.g. service mysql restart


Since the script you are attempting to invoke has been converted to an

Upstart job, you may also use the stop(8) and then start(8) utilities,

e.g. stop mysql ; start mysql. The restart(8) utility is also available.

mysql stop/waiting


From: at: 2011-10-27 21:09:02

At step 18 to avoid errors compiling jailkit install binutils-gold.

apt-get install build-essential autoconf automake1.9 libtool flex bison debhelper binutils-gold

Regards.

From: at: 2011-10-31 15:20:57

solution for jailkit and for sasl auth

 1. jailkit

make distclean

 change all -lpthread to  -pthread in configure, src/config.h.in

./configure
make
make clean
./debian/rules binary

 

2. sasl auth - problem with "fatal: no SASL authentication mechanisms"

remove or comment two lines in main.cf

# smtpd_sasl_type = dovecot
# smtpd_sasl_path = private/auth
 

Please, check if it works. For me works.

From: Abhijit at: 2012-02-03 14:01:28

The user quota setup  as described here does not work. When I try the following command

quotaon -avug

it fail complaining that the quota file not found. I tried creating the quota.user and aquota.user in the root dir to satisfy the command without much success.

 

From: Anonymous at: 2012-02-07 20:54:37

I had the same problem, the errors were referencing inability to find /dev/root. After searching around, I found this page which describes adding a symlink as follows:

 ln -s /dev/xvda /dev/root

Once I did that, the instructions here for quotas worked as expected. However, as noted on that page, the symlink goes away on reboot, so I just added that command to /etc/rc.local and it runs whenever the system reboots and everything works fine.

From: Fleck at: 2012-02-08 13:31:28

if you get SASL LOGIN authentication failed: no mechanism available - DO NOT DOWNGRADE PACKAGES, you just need to update config files:

 in /etc/default/saslauthd check those params:
START=yes
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

notice that -r at the end, must have that, or login will not work using email as username!

 in /etc/postfix/sasl/smtpd.conf you need to change few lines and add one:
pwcheck_method: saslauthd
mech_list: plain login pam
allow_plaintext: true
auxprop_plugin: sql
sql_engine: mysql
sql_hostnames: 127.0.0.1
sql_user: ispconfig
sql_passwd: <removed>
sql_database: dbispconfig
sql_select: select password from mail_user where login = '%u' or login = '%u@%r'  this will allow to use smtp using custom login names (ISPConfig -> System -> Interface Config -> Mail -> checked "Allow custom login name"(using this mode you can't leave blank custom login name blank - looks like ISPConfig bug, but then simply, if you don't whant to use custom login name - enter email address one more time!))

if you don't want to use custom login names - you can use this line:
sql_select: select password from mail_user where login = '%u@%r'

From: cg at: 2014-03-21 00:05:09

Thxal for that help man!

 I remembered the change of "auxprop_plugin: mysql" to sql only, with the extra parameter "sql_engine"...

The final crack was to to change:

 sql_select: select password from mail_user where login = '%u@'

as it was in my old config files from squeeze to

sql_select: select password from mail_user where login = '%u@%r'.

I updated ISPConfig and Squeeze several times and it worked until the upgrade to wheezy. Whyever it did not happen before. But I can send mails again, so everything is fine - for now.

Again: Thx!

From: Anonymous at: 2013-04-22 08:54:11

this link is not working anymore

 wget http://olivier.sessink.nl/jailkit/jailkit-2.14.tar.gz

From: boneg at: 2011-10-28 19:42:40

Great tutorial! Today I reconfigured my server with this manual, add some cache modules and now I have great machine with good perfomance.

From: Adaz at: 2012-03-06 00:38:12

Thank you for this great tutorial!! Everything worked as you said! So many steps, but it worths it.Thank you for the minutiae, you wasn't lazy!

From: Anonymous at: 2012-04-05 04:35:30

Thanks for a great tutorial. Clear and exact. I followed all the steps in this complex setup and have to say it all worked out to my surprise.

From: Anonymous at: 2012-04-06 21:04:06

Danke ! Funktioniert perfekt. Die Beschreibung ist hervorragend !

From: ranggadablues at: 2012-04-09 09:08:08

this is great tutorial, but only one problem I've got

I can't login to squirrelmail, as default user and password

please help me

thank you

From: Anonymous at: 2012-05-25 23:22:59

I have the exact same problem.  Before I install ISPconfig3, squirrelmail worked fine.  However it stopped working and give me the error unknow user name and password.  Did you ever get yours sorted out?

From: Travis at: 2012-04-29 18:57:49

I'm a PHP & Java developer, and wanted to get a webserver up to serve as my online resume. I tried and tried on my own to get a server up w/ working email and no problems, and just had no luck. UNIX and email client configurations are not my strong point I fear. Using your guide, I was able to get a working server up in just a few hours ON MY FIRST TRY! Also, I used this guide for 12.4, and confirmed it works. Thank you kind sir for your excellent guide!

From: Anonymous at: 2012-06-21 05:26:18

thanks a lot. but email interface is not running at ispconfig. then i can't add email domain, emailbox etc...

I tried "The Perfect Server - Ubuntu 12.04 LTS (Apache2, BIND, Dovecot, ISPConfig 3) ".

But result is same.  What is wrong? What should i do? Please help.

 

Thank you.