The Perfect Server - Ubuntu 13.04 (Apache2, BIND, Dovecot, ISPConfig 3) - Page 5

16 Install PureFTPd And Quota

PureFTPd and quota can be installed with the following command:

apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool

Edit the file /etc/default/pure-ftpd-common...

vi /etc/default/pure-ftpd-common

... and make sure that the start mode is set to standalone and set VIRTUALCHROOT=true:

[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]

Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure.

If you want to allow FTP and TLS sessions, run

echo 1 > /etc/pure-ftpd/conf/TLS

In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:

mkdir -p /etc/ssl/private/

Afterwards, we can generate the SSL certificate as follows:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]:
<-- Enter your State or Province Name.
Locality Name (eg, city) []:
<-- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
<-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []:
<-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []:
<-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
Email Address []:
<-- Enter your Email Address.

Change the permissions of the SSL certificate:

chmod 600 /etc/ssl/private/pure-ftpd.pem

Then restart PureFTPd:

/etc/init.d/pure-ftpd-mysql restart

Edit /etc/fstab. Mine looks like this (I added ,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 to the partition with the mount point /):

vi /etc/fstab

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
/dev/mapper/server1--vg-root /               ext4    errors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0       1
# /boot was on /dev/sda1 during installation
UUID=9b8299f1-b2a2-4231-9ba1-4540fad76b0f /boot           ext2    defaults        0       2
/dev/mapper/server1--vg-swap_1 none            swap    sw              0       0

To enable quota, run these commands:

mount -o remount /

quotacheck -avugm
quotaon -avug

 

17 Install BIND DNS Server

BIND can be installed as follows:

apt-get install bind9 dnsutils

 

18 Install Vlogger, Webalizer, And AWstats

Vlogger, webalizer, and AWstats can be installed as follows:

apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl

Open /etc/cron.d/awstats afterwards...

vi /etc/cron.d/awstats

... and comment out everything in that file:

#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh

 

19 Install Jailkit

Jailkit is needed only if you want to chroot SSH users. It can be installed as follows (important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!):

apt-get install build-essential autoconf automake1.9 libtool flex bison debhelper binutils-gold

cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.15.tar.gz
tar xvfz jailkit-2.15.tar.gz
cd jailkit-2.15
./debian/rules binary

You can now install the Jailkit .deb package as follows:

cd ..
dpkg -i jailkit_2.15-1_*.deb
rm -rf jailkit-2.15*

 

20 Install fail2ban

This is optional but recommended, because the ISPConfig monitor tries to show the log:

apt-get install fail2ban

To make fail2ban monitor PureFTPd and Dovecot, create the file /etc/fail2ban/jail.local:

vi /etc/fail2ban/jail.local

[pureftpd]
enabled  = true
port     = ftp
filter   = pureftpd
logpath  = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[sasl]
enabled  = true
port     = smtp
filter   = sasl
logpath  = /var/log/mail.log
maxretry = 3

Then create the following two filter files:

vi /etc/fail2ban/filter.d/pureftpd.conf

[Definition]
failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.*
ignoreregex =

vi /etc/fail2ban/filter.d/dovecot-pop3imap.conf

[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =

Restart fail2ban afterwards:

/etc/init.d/fail2ban restart

Share this page:

11 Comment(s)

Add comment

Comments

From: Ajith at: 2013-11-12 08:28:03

Dear sir,

Thanks for the post it was very usefully, I have setup a mail server in Ubuntu 13.04 server as per your post. I have a setup the server as a local only. my domain is @example.co.in and users are able to send mails from ajith@example.co.in to ajth1@example.co.in, my question is can we change the mail server

1. to receive mails form outside

2.create two user group and allow one group to send mails to @gmail.com only

From: sant3001 at: 2013-05-03 19:04:09

Thanks for this wonderful tutorial. I believe the only thing missing here is cURL for PHP. When you open ISPConfig and go to ASP Installer it tells you that you don't have the PHP cURL extension.

I fixed it using this command:

sudo apt-get install curl libcurl3 libcurl3-dev php5-curl

And then I just restarted apache:

service apache2 restart

From: SkiOne at: 2013-05-10 16:56:17

The FCGI wrapper being installed is not supported by default in ubuntu 13.04 and the syntax used by the conf file doesn't match. If you get a client denied by server configuration install this:

 apt-get install libapache2-mod-fcgid

And the restart apache

From: Anonymous at: 2013-05-11 19:30:37

Yes,  as mentioned prior, thanks for this very detailed and very complete tutorial (actually a tour-de-force) on installing the ISPConfig software.

Along the way, many questions were answered as to 'what was what'....

I ordered/downloaded the manual. 

I probably will not do anything that makes the server become a 'public' site (it's really a VM).

The most I might to is have the server join a Win2003 domain or create what appear to be virtual sites in the Apache server (almost sound like IIS' virtual sites).

Again, Many Thanks for doing this.  A real help!!

 

 

From: Anonymous at: 2013-06-30 05:10:28

I followed this guide to the letter, twice, as I've followed several of these guides for older versions of Ubuntu and also using Nginx. They never fully work out for me.

This time whenever I went to my site, either through my domain name or through its LAN IP, all that would ever come up was SquirrelMail, which wouldn't even let me log in this time. ISPConfig3 would never come up, either, and I was at least able to get that up and running through past versions of this guide, both with Apache and Nginx. PHPMyAdmin worked.

I always enjoy the learning experience, though, despite the disappointment.

From: Anonymous at: 2013-07-23 23:21:10

I got the same issue, by removing this part below on page 6, I was able to get ISPConfig working on https not http, but I'm not able to log in to SquirrelMail !!!

[...]
<VirtualHost 1.2.3.4:80>
  DocumentRoot /usr/share/squirrelmail
  ServerName webmail.example.com
</VirtualHost>

From: Kenny at: 2013-09-22 20:16:02

Here is the output I got:
 

 ubuntu@ip-10-0-0-226:/tmp/ispconfig3_install/install$ sudo quotacheck -avugm

sudo: unable to resolve host ip-10-0-0-226

quotacheck: Scanning /dev/disk/by-label/cloudimg-rootfs [/] done

quotacheck: Checked 11946 directories and 151360 files

ubuntu@ip-10-0-0-226:/tmp/ispconfig3_install/install$ sudo quotaon -avug

sudo: unable to resolve host ip-10-0-0-226

quotaon: using //quota.group on /dev/disk/by-label/cloudimg-rootfs [/]: No such process

quotaon: Quota format not supported in kernel.

quotaon: using //quota.user on /dev/disk/by-label/cloudimg-rootfs [/]: No such process

quotaon: Quota format not supported in kernel.

ubuntu@ip-10-0-0-226:/tmp/ispconfig3_install/install$

 
Using Ubuntu 13.04 in Amazon EC2.  Worked fine in Debian Wheezy in EC2.  Do I need to do something with my fstab?  Debian takes up less space and uses less memory anyway, so I think I'm just going to use Debian.  I just wanted to try both.

From: at: 2014-01-07 04:28:48
From: Tweexter at: 2013-10-13 23:16:11

I seem to be stuck at in the SquirrelMail section regarding the additions to the squirrelmail.conf file.  

 Whenever i try to start apache2 I get an error "AddType requires at least two arguments, a mime type followed by one or more file extensions".  

To make sure I got it right I straight up copy and pasted the code from the guide to my Putty window and compared it visually.  

 

From: Tweexter at: 2013-10-14 17:35:32

Disregard, it was my own stupid mistake.  Somehow had the same AddType line at the top of the file, with no space before .php.  The entire line wasn't even supposed to be there, and I'm not even sure how it got there either.  Thanks for the great write up.  Can't wait to play with this a bit.  

From: at: 2013-10-22 14:37:19

There seems to be a typo in /etc/postfix/main.cf.  If you edit this file you'll see the following on about line 60:

proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps

There is an extra word "limit" in "$virtual_mailbox_limit_maps".  Change this to "$virtual_mailbox_maps":

proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_maps

Then restart Postfix:

/etc/init.d/postfix restart