The Perfect Server - Ubuntu 9.10 [ISPConfig 3] - Page 4

12 Install Postfix, Courier, Saslauthd, MySQL, rkhunter, binutils

We can install Postfix, Courier, Saslauthd, MySQL, rkhunter, and binutils with a single command:

aptitude install postfix postfix-mysql postfix-doc mysql-client mysql-server courier-authdaemon courier-authlib-mysql courier-pop courier-pop-ssl courier-imap courier-imap-ssl libsasl2-2 libsasl2-modules libsasl2-modules-sql sasl2-bin libpam-mysql openssl getmail4 rkhunter binutils

You will be asked the following questions:

New password for the MySQL "root" user: <-- yourrootsqlpassword
Repeat password for the MySQL "root" user: <-- yourrootsqlpassword
Create directories for web-based administration? <-- No
General type of mail configuration: <-- Internet Site
System mail name: <--
SSL certificate required <-- Ok

Next we install maildrop as follows:

update-alternatives --remove-all maildir.5
update-alternatives --remove-all maildirquota.7

aptitude install maildrop

You will ask yourself why we didn't install maildrop together with all the other packages. The reason for this is a bug in the courier-base package - if you install maildrop together with courier-pop, courier-pop-ssl, courier-imap, and courier-imap-ssl, you will get the following error:

update-alternatives: error: alternative link /usr/share/man/man5/maildir.5.gz is already managed by maildir.5.gz.

We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address =

vi /etc/mysql/my.cnf

# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           =

Then we restart MySQL:

/etc/init.d/mysql restart

Now check that networking is enabled. Run

netstat -tap | grep mysql

The output should look like this:

root@server1:~# netstat -tap | grep mysql
tcp        0      0 *:mysql                 *:*                     LISTEN      6267/mysqld

During the installation, the SSL certificates for IMAP-SSL and POP3-SSL are created with the hostname localhost. To change this to the correct hostname ( in this tutorial), delete the certificates...

cd /etc/courier
rm -f /etc/courier/imapd.pem
rm -f /etc/courier/pop3d.pem

... and modify the following two files; replace CN=localhost with (you can also modify the other values, if necessary):

vi /etc/courier/imapd.cnf


vi /etc/courier/pop3d.cnf


Then recreate the certificates...


... and restart Courier-IMAP-SSL and Courier-POP3-SSL:

/etc/init.d/courier-imap-ssl restart
/etc/init.d/courier-pop-ssl restart


13 Install Amavisd-new, SpamAssassin, And Clamav

To install amavisd-new, SpamAssassin, and ClamAV, we run

aptitude install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl


14 Install Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, And mcrypt

Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, and mcrypt can be installed as follows:

aptitude install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp

You will see the following question:

Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No

Then run the following command to enable the Apache modules suexec, rewrite, ssl, actions, and include:

a2enmod suexec rewrite ssl actions include

Restart Apache afterwards:

/etc/init.d/apache2 restart


15 Install PureFTPd And Quota

PureFTPd and quota can be installed with the following command:

aptitude install pure-ftpd-common pure-ftpd-mysql quota quotatool

Edit the file /etc/default/pure-ftpd-common...

vi /etc/default/pure-ftpd-common

... and make sure that the start mode is set to standalone and set VIRTUALCHROOT=true:


Then restart PureFTPd:

/etc/init.d/pure-ftpd-mysql restart

Edit /etc/fstab. Mine looks like this (I added ,usrjquota=aquota.user,,jqfmt=vfsv0 to the partition with the mount point /):

vi /etc/fstab

# /etc/fstab: static file system information.
# Use 'blkid -o value -s UUID' to print the universally unique identifier
# for a device; this may be used with UUID= as a more robust way to name
# devices that works even if disks are added and removed. See fstab(5).
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0
/dev/mapper/server1-root /               ext4    errors=remount-ro,usrjquota=aquota.user,,jqfmt=vfsv0 0       1
# /boot was on /dev/sda5 during installation
UUID=9ea34148-31b7-4d5c-baee-c2e2022562ea /boot           ext2    defaults        0       2
/dev/mapper/server1-swap_1 none            swap    sw              0       0
/dev/scd0       /media/cdrom0   udf,iso9660 user,noauto,exec,utf8 0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto,exec,utf8 0       0

To enable quota, run these commands:

touch /aquota.user /
chmod 600 /aquota.*
mount -o remount /

quotacheck -avugm
quotaon -avug


16 Install MyDNS

Before we install MyDNS, we need to install a few prerequisites:

aptitude install g++ libc6 gcc gawk make texinfo libmysqlclient15-dev

MyDNS is not available in the Ubuntu 9.10 repositories, therefore we have to build it ourselves as follows:

cd /tmp
tar xvfz mydns-
cd mydns-1.2.8
make install

Next we create the start/stop script for MyDNS:

vi /etc/init.d/mydns

#! /bin/sh
# mydns         Start the MyDNS server
# Author:       Philipp Kern <>.
#               Based upon skeleton 1.9.4 by Miquel van Smoorenburg
#               <> and Ian Murdock <>.

set -e

DESC="DNS server"


# Gracefully exit if the package has been removed.
test -x $DAEMON || exit 0

case "$1" in
        echo -n "Starting $DESC: $NAME"
        start-stop-daemon --start --quiet \
                --exec $DAEMON -- -b
        echo "."
        echo -n "Stopping $DESC: $NAME"
        start-stop-daemon --stop --oknodo --quiet \
                --exec $DAEMON
        echo "."
        echo -n "Reloading $DESC configuration..."
        start-stop-daemon --stop --signal HUP --quiet \
                --exec $DAEMON
        echo "done."
        echo -n "Restarting $DESC: $NAME"
        start-stop-daemon --stop --quiet --oknodo \
                --exec $DAEMON
        sleep 1
        start-stop-daemon --start --quiet \
                --exec $DAEMON -- -b
        echo "."
        echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
        exit 1

exit 0

Then we make the script executable and create the system startup links for it:

chmod +x /etc/init.d/mydns
update-rc.d mydns defaults


17 Install Vlogger And Webalizer

Vlogger and webalizer can be installed as follows:

aptitude install vlogger webalizer


18 Install Jailkit

Jailkit is needed only if you want to chroot SSH users. It can be installed as follows (important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!):

aptitude install build-essential autoconf automake1.9 libtool flex bison

cd /tmp
tar xvfz jailkit-2.10.tar.gz
cd jailkit-2.10
make install
cd ..
rm -rf jailkit-2.10*


19 Install fail2ban

This is optional but recommended, because the ISPConfig monitor tries to show the fail2ban log:

aptitude install fail2ban

Share this page:

36 Comment(s)

Add comment


From: at: 2009-10-31 08:11:16

be careful when making clean install on 9.10

if you have a RAID0 Grub2 acts realy strange. It cant find the boot sector of the drive. 

sollution : make clean install on 8.10 according on Falko`s pedfect server 8.10. and dist-upgrade to 9.04 and 9.10

From: at: 2011-04-17 00:01:29

Good evening,
I'm also having the same problem, Outlook users may not connect, with the previously ispconfig2 the users were created in / etc / passwd, not this happening in ispconfig3 this, they are only created in mysql ..
claim to know what can be? the distribution and debian 6.

From: Anonymous at: 2010-05-13 20:41:41

First to praise the tutorial, but I have a problem. when I want to download e-mail (Outlook), every time we seek authorization through ISPCONFIG with defined user and his mail box, simply will not let me authorization. I really do not know more what the problem is. In addition to asking configuration. It is also not possible or authorization through Squirrelmail.

tail -f /var/log/mail.log

May 13 22:00:01 myserver postfix/smtpd[8313]: disconnect from localhost.localdomain[]
May 13 22:02:51 myserver pop3d: Connection, ip=[::ffff:]
May 13 22:02:51 myserver pop3d: LOGIN FAILED, user=test, ip=[::ffff:]
May 13 22:02:56 myserver pop3d: Disconnected, ip=[::ffff:]


root@server:/# netstat -tap

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0      *:*                     LISTEN      2106/mydns
tcp        0      0 localhost.locald:domain *:*                     LISTEN      2106/mydns
tcp        0      0 *:ftp                   *:*                     LISTEN      1816/pure-ftpd (SER
tcp        0      0 *:ssh                   *:*                     LISTEN      975/sshd
tcp        0      0 *:smtp                  *:*                     LISTEN      6470/master
tcp        0      0 *:https                 *:*                     LISTEN      1962/apache2
tcp        0      0 localhost.localdo:10024 *:*                     LISTEN      988/amavisd (master
tcp        0      0 localhost.localdo:10025 *:*                     LISTEN      6470/master
tcp        0      0 localhost.localdo:mysql *:*                     LISTEN      4858/mysqld
tcp        0      0 localhost.localdo:spamd *:*                     LISTEN      1227/
tcp        0      0 *:webmin                *:*                     LISTEN      4146/perl
tcp        0      0 *:http-alt              *:*                     LISTEN      1962/apache2
tcp        0      0 *:www                   *:*                     LISTEN      1962/apache2
tcp        0      0 localhost.localdoma:ftp localhost.localdo:40089 TIME_WAIT   -
tcp        0      0 localhost.localdo:mysql localhost.localdo:39324 ESTABLISHED 4858/mysqld
tcp        0      0 localhost.localdo:35514 localhost.localdoma:www TIME_WAIT   -
tcp        0      0 localhost.localdo:39324 localhost.localdo:mysql ESTABLISHED 1643/amavisd (ch3-a
tcp        0     52          ESTABLISHED 1499/0
tcp        0      0 localhost.localdo:45780 localhost.locald:domain TIME_WAIT   -
tcp6       0      0 localhost:domain        [::]:*                  LISTEN      2106/mydns
tcp6       0      0 [::]:ftp                [::]:*                  LISTEN      1816/pure-ftpd (SER
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      975/sshd
tcp6       0      0 [::]:imaps              [::]:*                  LISTEN      1666/couriertcpd
tcp6       0      0 [::]:pop3s              [::]:*                  LISTEN      1707/couriertcpd
tcp6       0      0 [::]:pop3               [::]:*                  LISTEN      7164/couriertcpd
tcp6       0      0 [::]:imap2              [::]:*                  LISTEN      1635/couriertcpd

root@server:/# telnet 25

Connected to
Escape character is '^]'.
220 ESMTP Postfix (Ubuntu)


My postfix configuration:

# See /usr/share/postfix/ for a commented, more complete version

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname =
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination =, localhost, localhost.localdomain
relayhost =
mynetworks = [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/, mysql:/etc/postfix/
virtual_mailbox_domains = proxy:mysql:/etc/postfix/
virtual_mailbox_maps = proxy:mysql:/etc/postfix/
virtual_mailbox_base = /var/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/, reject_unauth_destination
smtpd_tls_security_level = may
transport_maps = proxy:mysql:/etc/postfix/
relay_domains = mysql:/etc/postfix/
virtual_create_maildirsize = yes
virtual_maildir_extended = yes
virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/
virtual_mailbox_limit_override = yes
virtual_maildir_limit_message = "The user you are trying to reach is over quota."
virtual_overquota_bounce = yes
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = maildrop
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
content_filter = amavis:[]:10024
receive_override_options = no_address_mappings
message_size_limit = 0

From: Anonymous at: 2009-12-26 06:01:33

hi all,

setting hostname
Submitted by seamuso (not registered) on Sun, 2009-11-01 22:36.
hostname can be set without a reboot -
hostname -b -f /etc/hostname

..yes, can be set without a reboot, but like that: 

             hostname -b -F /etc/hostname 

hostname --help


   -f, --fqdn, --long    long host name (FQDN)
   -b, --boot                set default hostname if none available
   -F, --file                  read host name or NIS domain name from given file


From: headless_guy at: 2009-12-28 11:14:29

if you want to run 9.10 without keyboard and monitor, you may find it freezes after 10 mins try this:

for i in 1 2 3 4 5 6
   setterm -blank 0 -powersave off -powerdown 0 >/dev/tty$i

The make this script start at system start:

chmod 700 /etc/init.d/local

update-rc.d local defaults 80


From: seamuso at: 2009-11-01 21:36:56

hostname can be set without a reboot -


hostname -b -f /etc/hostname

From: shashank at: 2010-03-02 19:07:05

how i can find these setting for my system- 






bcz my network is dhcp enabled.

please help? 


From: CaPunG at: 2010-08-02 02:53:17

add this for DNS resolving

vi /etc/resolv.conf



ping test

:) cmiiw

From: Harald at: 2009-11-22 12:52:37


I actually dont know your problem, cause I even dont come to this point. You install - as I did - on Ubuntu 9.10 and I am wondering why you didnt have the following problem as I described with my own posting here:

i have

I tried 32 and 64 bit versions - but in both I have "xxxx.dpkg-new"!

What am I doing wrong?

Please help me!

Harald from Austria

From: Harald at: 2009-11-16 14:39:39

Hi! I have problems with imap/pop-ssl. By doing this:
/etc/init.d/courier-imap-ssl restart
/etc/init.d/courier-pop-ssl restart
i acutally cannot do this. my system is ubuntu 9.10 server (both 32bit and 64bit) and instead von

i have

What am I doing wrong?
Please respond to my email as well!

THANX in advance

From: at: 2009-11-05 21:42:15

hello, i instaled ispconfig 3 on ubuntu 9.10, and all my sites are working ok...but when i tried to make didn't work and i tryed every combination, but it doesn't work..

can you make a little tutorial with picture to show me an example to understand were i'm rong (show me pls what i must write in dns, web etc)


thanqs a lot.have a good day!bye.

From: walter at: 2010-02-27 01:01:25

no matter, but maybe we can add on step #16 the bellow:

rm -rf mydns-1.2.8*

thanks a lot for this tutorial.

From: cmo at: 2010-07-11 22:26:37

Same error here. Mailclient has "Server needs SMTP Authentification" on.

From: at: 2009-12-02 14:20:41

when adding a site with the ispconfig interface, this value is added

php_admin_value open_basedir /var/www/clients/client1/web1/web:/var/www/clients/client1/web1/tmp:/usr/share/php5

The last section /usr/share/php5, is a directory that in the ubuntu packages, only contains php.ini example files.

Is supposed be the folder that contains the php extra functions and classes, which is in /usr/share/php

To change this, the ispconfig developers told me that editing the conf file: /usr/local/ispconfig/server/conf/vhost.conf.master and modify this sections

<tmpl_if name='security_level' op='==' value='20'>
    php_admin_value open_basedir <tmpl_var name='document_root'>/web:<tmpl_var name='document_root'>/tmp:/usr/share/php5

<tmpl_if name='security_level' op='==' value='20'>
    php_admin_value open_basedir <tmpl_var name='document_root'>/web:<tmpl_var name='document_root'>/tmp:/usr/share/php5:/tmp



From: Robert at: 2009-12-04 21:13:15

This tutorial is really good and clear. Just like the ones for the other distros.

But what's the point of installing ISPConfig 3 ?

If it was installed after step 6 (Install vim-nox (Optional)) on page 3, or even after step 9 (Change The Default Shell) on page 3, it would have made sense.

But we first install everything by hand, and then install a script to manage it all.

Might as well go the extra mile(s) and do everything from the command line.

Why can't ISPConfig ask for (or read a config/setup file with) what you want to install, and then just do it before installing itself ?

And things like :

That the MySQL root user password has to be entered twice. Once when installing MySQL, and then once again when installing ISPConfig.


"We need a DNS, mail, and LAMP server, but nevertheless I don't select any of them now because I like to have full control over what gets installed on my system." (page 2), but you do let this happen : "The installer automatically configures all underlying services, so no manual configuration is needed." (page 5).

Anyway, it's a good starting point to have a nice server setup quickly. With or without ISPConfig.

From: at: 2010-03-11 18:49:22

You know, I was just thinking the same thing.

I've never installed this software but, since it's supposed to manage all this stuff, it seems very strange to have to install it all by hand first. 

Certainly none of the steps are difficult to script, most are just one command and some of them answering a couple of prompts.  

It looks like it has to have mySQL installed to be able to have a place for its configs but that should just be the first step; and it should remember that config information.

For a version 3, this is pretty immature...



From: tono at: 2009-12-06 22:02:03

Never, ever I read a tutorial so good.

Thank you very much.



From: joerg at: 2009-12-25 18:03:48


how can use squirrelmail from this howto, when i create a domain in ispconfig 3?

The symlink from squirrelmail is set to the standard web location /var/www but the web location for the new domain is /var/www/domain.tld/web.

When i link the squirrelmail directory in the  /var/www/domain.tld/web directory i become a error message from squirrelmail. (No input file specified)

Can anybody help me please??


From: at: 2009-11-18 16:35:21

Suggestion and question.

Would it not be better to download and phpmyadmin and squirrelmail manually and place them within a allowed directory according to  /usr/local/ispconfig/server/conf/vhost.conf.master?

After <tmpl_if name='security_level' op='==' value='20'>

From: Patrick Nelson at: 2009-11-19 00:20:14

If I could, I'd rate this 5 stars! It is perfect to a tee! Thanks a lot for a very helpful and informative article! Truely an easy and good alternative setup to having to pay for those other control panels!

From: at: 2009-11-19 13:28:55

looks like hetzner's ubuntu 9.10 image isn't as minimal as it sounds :) it seems to have a crippled postfix package already installed, and the ispconfig install will fail because there is no /etc/postfix/

to work around this issue, you can remove the package completely before starting with this guide using:

  • aptitude remove --purge postfix
  • dpkg --purge postfix
(the --purge in the first command should also take care of the config files... but it doesn't. calling dpkg manually cleans all the config files.)

 after that the guide works perfectly if you start from step 4.

From: Anonymous at: 2009-11-07 12:59:47

thank you very much for this, it helped me a lot

From: klapifoch at: 2009-11-04 14:40:45

this is an amazing tuto!!! dude thx!

From: Anonymous at: 2009-11-02 12:12:55

maybe ssl on the 8080 port is to be working

From: at: 2009-10-29 18:27:03

Falko .. aswe said in Bulgaria "you are not sleeping" :)

again good job :) 

From: Gaston Suarez Duek at: 2010-02-06 23:31:10

Thx for all the help, my server is now up and running!!!! And just in a couple of hours (or minutes)!!!

From: Warren Bull at: 2010-02-04 05:57:48

This tutorial is absolutely brilliant!

 Thank you sooo much dude!!!

 just one point. i had trouble testing ftp after it was all setup after 3 hours of messing with pureftpd i found a simple solution to the "ERROR: Sorry incorrect address given"

maybe you want to add it to the steps in the tutorial ?


Thanks again!


From: Big Trucker at: 2010-02-21 12:47:43

Very clear and simple to follow, made the job for me a breeze, thank you!

From: Jack at: 2010-03-04 18:15:50

Used this manual to install postfix and ipconfig. Everything was so well documented so it works from the first try!!!

Great job!!!


From: u4david at: 2010-03-04 05:20:00

How would this work out to have /var nad /tmp on separate partitions?


Concerned about Quotas on /var to function properly with Ispconfig3 and have /tmp mounted with noexec.

Do not think that separate /boot would create any complications.

Could someoen propose the partitioning schema for Ispconfig3 with

200 gb harddrive to be used on.

and possible changes how to make it all work together as mentioned? 


From: Anonymous at: 2010-03-24 19:37:50

Thanks for this step by step tutorial.  It was very easy and straight forward.

 I just have 2 quick questions that maybe you could answer.

 1.)Why use myDNS vs Bind9?

 2.)I can only access ISPConfig via http over port 8080 and not https over port 8080.  how do i reconfigure or setup my server so that it will allow ISPConfig via https over port 8080.

 Thanks alot.

From: Joel at: 2010-03-22 23:45:54

Thanks alot...

but can't send out mail messages using outlook configuration...

this is my error

The following recipient(s) could not be reached:

'' on 3/23/2010 7:36 AM

554 5.7.1 <>: Relay access denied

anybody can help me?

From: at: 2010-05-25 23:33:56

I am having exact issue

From: Atran at: 2010-04-14 20:33:50

do i have to install  python-policyd-spf after following this guide?

From: Anonymous at: 2010-04-26 11:57:18

In the SquirrelMail Login page I get the following error: Unknown user or password incorrect.

I'm using the administrator user (the one created in this tutorial in the Ubuntu server installation).

Do i have to activate something?

 Thank you!

From: elricho at: 2013-02-25 14:57:46

Excelent tutorial thank you so so so much !!!