ISP-Server Setup - Ubuntu 5.0.4 "The Hoary Hedgehog" - Page 4

MySQL

apt-get install mysql-server mysql-client libmysqlclient12-dev

mysqladmin -u root password yourrootsqlpassword
mysqladmin -h server1.example.com -u root password yourrootsqlpassword

When you run netstat -tap you should now see a line like this:

tcp        0      0 localhost.localdo:mysql *:*                     LISTEN     2449/mysqld

which means that MySQL is accessible on port 3306. You can go to the next section (Postfix). If you do not see this line, edit /etc/mysql/my.cnf and comment out skip-networking:

# skip-networking

If you had to edit /etc/mysql/my.cnf you have to restart MySQL:

/etc/init.d/mysql restart

Postfix

In order to install Postfix with SMTP-AUTH and TLS do the following steps:

apt-get install postfix postfix-tls libsasl2 sasl2-bin libsasl2-modules libdb3-util procmail (1 line!)
dpkg-reconfigure postfix


<- Internet Site
<- NONE
<- server1.example.com
<- server1.example.com, localhost.example.com, localhost
<- No
<- 127.0.0.0/8
<- 0
<- +

postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf
echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
postconf -e 'myhostname = server1.example.com'

The file /etc/postfix/main.cf should now look like this:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

myhostname = server1.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server1.example.com, localhost.example.com, localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

/etc/init.d/postfix restart

Authentication will be done by saslauthd. We have to change a few things to make it work properly. Because Postfix runs chrooted in /var/spool/postfix we have to do the following:

mkdir -p /var/spool/postfix/var/run/saslauthd
rm -fr /var/run/saslauthd

Now we have to edit /etc/default/saslauthd in order to activate saslauthd. Remove # in front of START=yes and add the line PARAMS="-m /var/spool/postfix/var/run/saslauthd":

# This needs to be uncommented before saslauthd will be run automatically
START=yes

PARAMS="-m /var/spool/postfix/var/run/saslauthd"

# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"

MECHANISMS="pam"

Finally we have to edit /etc/init.d/saslauthd. Change the line

dir=`dpkg-statoverride --list $PWDIR`

to

#dir=`dpkg-statoverride --list $PWDIR`

Then change the variables PWDIR and PIDFILE and add the variable dir at the beginning of the file:

PWDIR="/var/spool/postfix/var/run/${NAME}"
PIDFILE="${PWDIR}/saslauthd.pid"
dir="root sasl 755 ${PWDIR}"

/etc/init.d/saslauthd should now look like this:

#!/bin/sh -e

NAME=saslauthd
DAEMON="/usr/sbin/${NAME}"
DESC="SASL Authentication Daemon"
DEFAULTS=/etc/default/saslauthd
PWDIR="/var/spool/postfix/var/run/${NAME}"
PIDFILE="${PWDIR}/saslauthd.pid"
dir="root sasl 755 ${PWDIR}"

createdir() {
# $1 = user
# $2 = group
# $3 = permissions (octal)
# $4 = path to directory
[ -d "$4" ] || mkdir -p "$4"
chown -c -h "$1:$2" "$4"
chmod -c "$3" "$4"
}

test -f "${DAEMON}" || exit 0

# Source defaults file; edit that file to configure this script.
if [ -e "${DEFAULTS}" ]; then
. "${DEFAULTS}"
fi

# If we're not to start the daemon, simply exit
if [ "${START}" != "yes" ]; then
exit 0
fi

# If we have no mechanisms defined
if [ "x${MECHANISMS}" = "x" ]; then
echo "You need to configure ${DEFAULTS} with mechanisms to be used"
exit 0
fi

# Add our mechanimsms with the necessary flag
PARAMS="${PARAMS} -a ${MECHANISMS}"

START="--start --quiet --pidfile ${PIDFILE} --startas ${DAEMON} --name ${NAME} -- ${PARAMS}"

# Consider our options
case "${1}" in
start)
echo -n "Starting ${DESC}: "
#dir=`dpkg-statoverride --list $PWDIR`
test -z "$dir" || createdir $dir
if start-stop-daemon ${START} >/dev/null 2>&1 ; then
echo "${NAME}."
else
if start-stop-daemon --test ${START} >/dev/null 2>&1; then
echo "(failed)."
exit 1
else
echo "${DAEMON} already running."
exit 0
fi
fi
;;
stop)
echo -n "Stopping ${DESC}: "
if start-stop-daemon --stop --quiet --pidfile "${PIDFILE}" \
--startas ${DAEMON} --retry 10 --name ${NAME} \
>/dev/null 2>&1 ; then
echo "${NAME}."
else
if start-stop-daemon --test ${START} >/dev/null 2>&1; then
echo "(not running)."
exit 0
else
echo "(failed)."
exit 1
fi
fi
;;
restart|force-reload)
$0 stop
exec $0 start
;;
*)
echo "Usage: /etc/init.d/${NAME} {start|stop|restart|force-reload}" >&2
exit 1
;;
esac

exit 0

Now start saslauthd:

/etc/init.d/saslauthd start

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH

everything is fine.

Type

quit

to return to the system's shell.

Courier-IMAP/Courier-POP3

Install Courier-IMAP/Courier-IMAP-SSL (for IMAPs on port 993) and Courier-POP3/Courier-POP3-SSL (for POP3s on port 995).

apt-get install courier-authdaemon courier-base courier-imap courier-imap-ssl courier-pop courier-pop-ssl courier-ssl gamin libgamin0 libglib2.0-0 (one line!)

<- No
<- OK

Then configure Postfix to deliver emails to a user's Maildir:

postconf -e 'home_mailbox = Maildir/'
postconf -e 'mailbox_command ='

/etc/init.d/postfix restart

Please go sure to enable Maildir under Management -> Settings -> EMail in the ISPConfig web interface.

Share this page:

24 Comment(s)

Add comment

Comments

From: Anonymous at: 2005-10-10 02:01:05

You mention that Postfix has a shorter list of security vulnerabilities than Sendmail. In the recent times, Sendmail has performed very well. Also keep in mind that Sendmail is over 23 years old -- it's had a lot more time to be tested for these things. If you mentioned that Postfix scales better than Sendmail, I'd have marked that as credable; however, Sendmail's M4 configuration is so easy that even a monkey could do it.

As a software package, Sendmail works great. It is easy to configure. It has proven itself secure in the recent years. Don't knock it for the wrong things.

From: Anonymous at: 2005-11-16 22:54:12

May be you'd check more. Postfix is designed basically to be a secure alternative to Sendmail, check its site. And it does have a better record.

I'd say the worst thing about sendmail is the configuration, by the way. Probably you are a M4 veteran, so you don't know how complicated it is. Frankly, that was the reason I switched from sendmail to postfix, circa redhat 7.3, before it became their default. And I am not really a newbie..

From: Anonymous at: 2005-12-19 16:44:21

thanks for the walk through only had Ubuntu installed (or any type of Linux) for a couple of days and I'm already runing my own server...pure magic

From: Anonymous at: 2006-01-29 17:47:45

would this be a better starting point?

would it change everything in this howto?

http://distrowatch.com/?newsid=02988#0

From: admin at: 2006-01-29 18:26:22

The ubuntu server distribution did not exist at the time I've written this howto. I'am pretty sure that the howto will work fine with Ubuntu Server distribution too, but I've not tested it yet.

Till

From: Anonymous at: 2005-10-28 09:58:33

Bad bad bad!:
0 */2 * * * /etc/init.d/ntpdate restart

Please use an ntp daemon.

From: Anonymous at: 2005-12-03 08:59:49

And if you are already on it use 'crontab -e' to modify cronjobs instead of digging through the file system. You get syntax highlighting and it checks and installs the new cronjob for you afterwards.

From: at: 2005-09-20 02:00:06

There is an error (minor) in the following paragraph on the last page. ...

After you have answered the questions ISPConfig should be duly installed. If you indicated www as host and xyz.com as the domain during the installation, you will find the ISPConfig interface under https://www.xyz.de:81 or http://www.xyz.de:81.


The addresses should have .com instead of .de (or the how should be xyz.de)


thanks for the sweet article!

From: admin at: 2005-09-26 08:11:23

Thanks, I've corrected the error.

From: Anonymous at: 2005-10-09 06:05:23

Why cant a iso of this be available to download all ready to run?

flame away ;-)

From: at: 2005-09-25 21:45:42

Crossposted from OSNews:

This is the worst HOWTO I ever read. There is NO explanation what this setup will create NOR is it secure or suitable other than for kids to play on their homeboxen. Postfix has not disabled plaintext without ssl so every client pointing to server:25 and not issuing STARTTLS will get transmit passwords in cleartext. Did I hear ISP? Where is virtual domain support? Are you supposed to have all your mailaccounts in /etc/passwd. What is that Apache setup meant for? Disabling PHP and running php scripts as CGI with Suexec? Ever heard of suphp?

forget it

From: Anonymous at: 2005-09-26 08:19:04

It seems you have not read the howto at all. The howto prepares a server for the installation of the ispconfig controlpanel. If you do not disable PHP globally you can not manage it on a per vhost basis :-) When you have written your own server howto, you can post it here to show everyone what you think a server setup is. E.g. crossposting is :cool:

From: at: 2005-09-25 22:22:56

Hmm, the other guy needs a slap around the ears, not designed for kids at home, he assumes you have a basic idea if you are going to do it, there's also Articles about Virtual Domains on the site, take a chill pill and relax. Nice Article, you may also want to look into running VHCS as well from www.vhcs.net it's also a Free Opensource Hosting panel, I think it has more features too, plus it's a heck of a lot sexier.

From: Anonymous at: 2005-10-06 20:09:48

everyones a noob at some point

From: Anonymous at: 2005-09-27 02:30:55

Hello I am newbie. It's my first time to have handson on linux. Anyway i followed everything in this article except that when I installed ISPConfig, I got the following error:

Warning: main(config.inc.php): failed to open stream: No such file or directory in /tmp/install_ispconfig/install.php on line 624

Warning: main(): Failed opening 'config.inc.php' for inclusion (include_path='.:/root/ispconfig/php/lib/php') in /tmp/install_ispconfig/install.php on line 624

Warning: mysql_connect(): Access denied for user: 'root@localhost' (Using password: NO) in /tmp/install_ispconfig/install.php on line 634

Could not connect to db

Restarting some services...

./setup2: line 883: [:==: unary operator expected

./setup2: line 901: /etc/init.d/ispconfig_server: No such file or directory

If you have anyway of fixing this. I would be very grateful.

mike

From: falko at: 2005-09-28 07:40:54
From: Anonymous at: 2005-10-07 16:22:42

my setup is ok now. can you tell me how to add amasvid-new and clam av to this setup?

From: admin at: 2005-10-07 17:16:33

If you use ISPConfig, mailfiltering with Spamassassin and ClamAV are installed and configured? by the ISPConfig installer.

From: Anonymous at: 2005-10-10 16:38:41

i cannot receive email but i can send using outlook client with smtp authentication. also i cannot login using https://www.mydomain.com:81/mailuser.

From: Anonymous at: 2005-09-28 01:55:51

I tried this but had a dickens of a time testing the email addresses. I put "nameserver 192.168.0.100" on the top of /etc/resolv.conf and to test the DNS, I'd run "host newdomain.com" to see if the virtual address showed up. It did, so I tried setting up email accounts( 2 ) and created the accounts in Thunderbird to send back and forth. They didn't work until I started sending to "userID1@www.domain.com". Creating a Co-Domain with the Hostname cleared worked. It also resulted in /etc/prostfix/local-host-names file showing the domain.com entry( along with the www.domain.com entry ).

Cool HowTo BTW. Now I have to go in and start learning what all is going on. ;-)


I'm thinking this might be nice for a couple of friends who have small biz and need to create temp accounts for customer comm and filesharing.

From: Anonymous at: 2005-09-28 13:37:50

Rather than creating the symlinks manually as you do for the Apache modules you can use the provided tools:

a2enmod include

a2enmod ssl

etc.

From: Anonymous at: 2005-10-06 14:16:36

Is it perfect? Probably not.

Handholding? Some, but you really need to bring your own critical thinking to the table if you're to tackle an unforseen glitch.

Thorough? Absolutely. While I (might) agree there's not a lot of detailed explanations to the tasks, it's all here. You couldn't ask for a better blueprint. You wanna know more about the underpinnings of each step? Start digging. At least you now know what questions to ask!

For all the indignant boo hooing, I would say anyone whining about this article has not had to fend for themselves much and is proably still living with their parents.

Thanks for helping this newbie get a better idea of how work is accomplished in Linux!

From: Anonymous at: 2005-10-09 17:00:47

I created some scripts that are a start to automating this process. You can find them here:

http://www.geekdept.com/1.script

http://www.geekdept.com/2.script

http://www.geekdept.com/3.script

http://www.geekdept.com/4.script

http://www.geekdept.com/5.script

http://www.geekdept.com/6.script

http://www.geekdept.com/7.script

http://www.geekdept.com/8.script

http://www.geekdept.com/9.script

Keep in mind that these scripts are not the cure all it just helps automate a bit. Take a look at each one before you use it. I usually run wget and get them all into the /tmp dir and then call on them as needed.


Hope this helps.

From: SABADBOY at: 2008-11-30 08:41:44

ANYBODY MADE AN ISO YET SO THE INSTALL IS ALL AUTOMATED  SERIOUSLY I NEED IT BAD

GREAT ARTICLE