ISPConfig Perfect Multiserver setup on Ubuntu 20.04 and Debian 10 - Page 3

4 Installing the first mailserver

Log in as root or run

su -

to become root user on your server before you proceed. IMPORTANT: You must use 'su -' and not just 'su', otherwise your PATH variable is set wrong by Debian.

4.1 Configure the hostname

The hostname of your server should be a subdomain like "mx1.example.com". Do not use a domain name without a subdomain part like "example.com" as hostname as this will cause problems later with your mail setup. First, you should check the hostname in /etc/hosts and change it when necessary. The line should be: "IP Address - space - full hostname incl. domain - space - subdomain part". For our hostname mx1.example.com, the file shall look like this:

nano /etc/hosts
127.0.0.1 localhost.localdomain   localhost
# This line should be changed on every node to the correct servername:
127.0.1.1 mx1.example.com mx1
# These lines are the same on every node:
10.0.64.12 panel.example.com panel
10.0.64.13 web01.example.com web01
10.0.64.14 mx1.example.com mx1
10.0.64.15 mx2.example.com mx2
10.0.64.16 ns1.example.com ns1
10.0.64.17 ns2.example.com ns2
10.0.64.18 webmail.example.com webmail

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

As you can see, we added the hostnames of our other servers aswell, so they can communicate over the internal network later.

Then edit the /etc/hostname file:

nano /etc/hostname

It shall contain only the subdomain part, in our case:

mx1

Finally, reboot the server to apply the change:

systemctl reboot

Log in again and check if the hostname is correct now with these commands:

hostname
hostname -f

The output shall be like this:

root@mx1:~$ hostname
mx1
root@mx1:~$ hostname -f
mx1.example.com

4.2 Installing ISPConfig

Now we can run the autoinstaller for all packages and ISPConfig:

wget -O - https://get.ispconfig.org | sh -s -- --no-dns --no-roundcube --no-mailman --use-php=system --use-unbound --interactive

After some time, you will see:

WARNING! This script will reconfigure your complete server!
It should be run on a freshly installed server and all current configuration that you have done will most likely be lost!
Type 'yes' if you really want to continue:

Answer "yes" and hit enter. The installer will now start.

When the installation and configuration of the packages is done, the root password for MySQL on mx1 will be shown. Write this down (along with the servername, to prevent any confusion later).

Now we will have to answer some questions as we are using interactive mode. This is necessary as this server will be added to your multiserver setup.

[INFO] Installing ISPConfig3.
[INFO] Your MySQL root password is: kl3994aMsfkkeE


--------------------------------------------------------------------------------
 _____ ___________   _____              __ _         ____
|_   _/  ___| ___ \ /  __ \            / _(_)       /__  \
  | | \ `--.| |_/ / | /  \/ ___  _ __ | |_ _  __ _    _/ /
  | |  `--. \  __/  | |    / _ \| '_ \|  _| |/ _` |  |_ |
 _| |_/\__/ / |     | \__/\ (_) | | | | | | | (_| | ___\ \
 \___/\____/\_|      \____/\___/|_| |_|_| |_|\__, | \____/
                                              __/ |
                                             |___/ 
--------------------------------------------------------------------------------


>> Initial configuration  

Operating System: Debian 10.0 (Buster) or compatible

    Following will be a few questions for primary configuration so be careful.
    Default values are in [brackets] and can be accepted with <ENTER>.
    Tap in "quit" (without the quotes) to stop the installer.


Select language (en,de) [en]: <-- Hit enter

Installation mode (standard,expert) [standard]: <-- expert

Full qualified hostname (FQDN) of the server, eg server1.domain.tld  [mx1.example.com]: <-- Hit Enter

MySQL server hostname [localhost]: <-- Hit Enter

MySQL server port [3306]: <-- Hit Enter

MySQL root username [root]: <-- Hit Enter

MySQL root password []: <-- Enter the MySQL password the script just gave you

MySQL database to create [dbispconfig]: <-- Hit Enter

MySQL charset [utf8]: <-- Hit Enter

The next two questions are about the internal ISPConfig database user and password.
It is recommended to accept the defaults which are 'ispconfig' as username and a random password.
If you use a different password, use only numbers and chars for the password.

ISPConfig mysql database username [ispconfig]: <-- Hit Enter

ISPConfig mysql database password [aakl203920459853sak20284204]: <-- Hit Enter

Shall this server join an existing ISPConfig multiserver setup (y,n) [n]: <-- y

MySQL master server hostname []: <-- panel.example.com

MySQL master server port []: <-- Hit Enter

MySQL master server root username [root]: <-- Hit Enter

MySQL master server root password []: <-- the password you gave the external root user on the master server.

MySQL master server database name [dbispconfig]: <-- Hit Enter

Adding ISPConfig server record to database.

Configure Mail (y,n) [y]: <-- Hit enter

Configuring Postgrey
Configuring Postfix
Generating a RSA private key
......................................................................++++
....................++++
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- Hit enter
State or Province Name (full name) [Some-State]: <-- Hit enter
Locality Name (eg, city) []: <-- Hit enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Hit enter
Organizational Unit Name (eg, section) []: <-- Hit enter
Common Name (e.g. server FQDN or YOUR name) []: <-- Hit enter
Email Address []: <-- Hit enter
[WARN] autodetect for Mailman failed
Force configure Mailman (y,n) [n]: <-- Hit enter

Skipping Mailman

Configuring Dovecot
Creating new DHParams file, this takes several minutes. Do not interrupt the script.
Configuring Spamassassin
[WARN] autodetect for Amavisd failed
Force configure Amavisd (y,n) [n]: <-- Hit enter

Skipping Amavisd

Configuring Rspamd
Configuring Getmail
Configuring Jailkit
Configuring Pureftpd
Configure DNS Server (y,n) [y]: <-- n

The Web Server option has to be enabled when you want run a web server or when this node shall host the ISPConfig interface.
Configure Web Server (y,n) [y]: <-- Hit enter

Configuring Apache
Configuring vlogger
[WARN] autodetect for OpenVZ failed
Force configure OpenVZ (y,n) [n]: <-- Hit Enter

Skipping OpenVZ

Configure Firewall Server (y,n) [y]: <-- Hit Enter

Configuring Ubuntu Firewall
[WARN] autodetect for Metronome XMPP Server failed
Force configure Metronome XMPP Server (y,n) [n]: <-- Hit Enter

Skipping Metronome XMPP Server

Configuring Fail2ban
Install ISPConfig Web Interface (y,n) [n]: <-- Hit Enter

Do you want to create SSL certs for your server? (y,n) [y]: <-- Hit Enter

Checking / creating certificate for mx1.example.com
Using certificate path /etc/letsencrypt/live/mx1.example.com
Using apache for certificate validation
Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: <-- Hit Enter

Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]: <-- Hit Enter

Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
......................+...........................................+...............
Configuring Apps vhost
Configuring DBServer
Installing ISPConfig crontab
no crontab for getmail
Detect IP addresses
Restarting services ...
Installation completed.
[INFO] Adding php versions to ISPConfig.
[INFO] Checking all services are running.
[INFO] mysql: OK
[INFO] clamav-daemon: OK
[INFO] postfix: OK
[INFO] bind9: OK
[INFO] pureftpd: OK
[INFO] apache2: OK
[INFO] rspamd: OK
[INFO] redis-server: OK
[INFO] dovecot: OK
[INFO] Installation ready.
[INFO] Your MySQL root password is: kl3994aMsfkkeE
[INFO] Warning: Please delete the log files in /tmp/ispconfig-ai/var/log/setup-* once you don't need them anymore because they contain your passwords!

4.3 Setting up replication for Dovecot

We are going to use dsync to synchronise the emails between mx1 and mx2, for redundancy.

The custom settings for dovecot have to be stored in /usr/local/ispconfig/server/conf-custom/install/dovecot_custom.conf.master so you don't lose them when updating ISPConfig.

nano /usr/local/ispconfig/server/conf-custom/install/dovecot_custom.conf.master

Put the following in there:

protocol imap {
  mail_plugins = $mail_plugins quota imap_quota notify replication
}
protocol pop3 {
  mail_plugins = $mail_plugins quota notify replication
}
protocol lda {
  mail_plugins = $mail_plugins sieve quota notify replication
}
protocol lmtp {
  mail_plugins = $mail_plugins sieve quota notify replication
}
doveadm_password = /(:&p-J:4e%?\@Q-;VSE#3Dmfm[fVK&r-mx1
doveadm_port = 12345
replication_max_conns = 50

ssl_client_ca_dir = /etc/ssl/certs

# Replicator process should be started at startup, so it can start replicating users immediately:
service replicator {
  process_min_avail = 1
}

# The mail processes need to have access to the replication-notify fifo and socket.
service aggregator {
    fifo_listener replication-notify-fifo {
        user = vmail
        mode = 0666
    }

    unix_listener replication-notify {
        user = vmail
        mode = 0666
    }
}

# Enable doveadm replicator commands
service replicator {
    unix_listener replicator-doveadm {
        mode = 0666
    }
}

# Create a listener for doveadm-server
service doveadm {
    user = vmail
    inet_listener {
        port = 12345
        ssl = yes
    }
}
service config {
    unix_listener config {
        user = vmail
    }
}

plugin {
    mail_replica = tcps:mx2.example.com
}

Replace the doveadm_password with your own password - make it a long and random string for security reasons.

Replace

mail_replica = tcps:mx2.example.com

with your own hostname of mx2.

To apply these changes, copy the file to the dovecot folder and restart dovecot:

cp /usr/local/ispconfig/server/conf-custom/install/dovecot_custom.conf.master /etc/dovecot/conf.d/99-ispconfig-custom-config.conf
systemctl restart dovecot

4.4 Setting up synchronisation for Rspamd

Rspamd has a nice web UI. We are going to set up our servers as neighbours so you can view the settings, stats, and other data in one panel.

nano /usr/local/ispconfig/server/conf-custom/install/rspamd_options.inc.master

Add these lines:

# Configuration from the ISPConfig template (must be updated if there are changes)
# Addrs local to this server.
local_addrs = [
    "127.0.0.0/8",
    "::1",
  ];

# This list is generated by ISPConfig, place custom addresses/networks in local_networks.inc.
local_networks = "/etc/rspamd/local.d/local_networks.inc";

dns {
    nameserver = ["127.0.0.1:53:10"];
}

# Custom configuration:
neighbours {
    mx1 {
        host = "https://mx1.example.com:443";
        path = "/rspamd/";
    }
    mx2 { 
        host = "https://mx2.example.com:443";
        path = "/rspamd/";
    }
}
# Last updated: 19-01-2022

Replace the hostnames with the correct hostnames for your main and secondary mail server. This config should be updated if the template changes, so make sure you verify this when updating ISPConfig.

Now we are going to add a website for this server in ISPConfig. Go to Sites -> Add new website and add the website "mx1.example.com". Make sure you create this on the correct server (mx1.example.com). Disable auto-subdomain, and enable SSL + Let's Encrypt. Then, go to options, and paste this in the Apache directives section:

RewriteEngine On
RewriteRule ^/rspamd$ /rspamd/ [R,L]
RewriteRule ^/rspamd/(.*) http://127.0.0.1:11334/$1 [P]
Header set Access-Control-Allow-Origin https://mx2.example.com

Replace mx2.example.com with the hostname of the secondary nameserver.

Lastly, we have to enable some Apache modules and restart our services:

a2enmod proxy_balancer proxy_http
systemctl restart rspamd
systemctl restart apache2

4.5 Securing the mail server with a valid SSL certificate

For a working DSYNC and Roundcube setup, you need to have a valid SSL certificate in place for the used hostnames. This certificate can not be self-signed. If you are going to use additional hostnames for this server, like imap.example.com and smtp.example.com, or if the installer could not create a valid certificate when installing, follow this guide to set up a valid certificate for your mail server: https://www.howtoforge.com/securing-your-ispconfig-3-managed-mailserver-with-a-valid-lets-encrypt-certificate/

4.6 Setting up the firewall

The last thing to do is to set up our firewall.

Log in to the ISPConfig UI, and go to System -> Firewall. Then click "Add new firewall record".

Make sure you select the correct server. For our mailserver, we have to open the following ports:

TCP:

22,25,80,110,143,443,465,587,993,995

No UDP ports have to be opened through the UI.

We are also going to open port 3306, which is used for MySQL, and port 12345, which is used for dsync, but only from our local network for security reasons. To do so, run the following command from the CLI, after the change from the ISPConfig panel is propagated (when the red dot is gone):

ufw allow from 10.0.64.0/24 to any port 3306 proto tcp
ufw allow from 10.0.64.0/24 to any port 12345 proto tcp
Share this page:

9 Comment(s)