ISPConfig Perfect Multiserver setup on Ubuntu 20.04 and Debian 10 - Page 3

4 Installing the first mailserver

Log in as root or run

su -

to become root user on your server before you proceed. IMPORTANT: You must use 'su -' and not just 'su', otherwise your PATH variable is set wrong by Debian.

4.1 Configure the hostname

The hostname of your server should be a subdomain like "mx1.example.com". Do not use a domain name without a subdomain part like "example.com" as hostname as this will cause problems later with your mail setup. First, you should check the hostname in /etc/hosts and change it when necessary. The line should be: "IP Address - space - full hostname incl. domain - space - subdomain part". For our hostname mx1.example.com, the file shall look like this:

nano /etc/hosts
127.0.0.1 localhost.localdomain   localhost
# This line should be changed on every node to the correct servername:
127.0.1.1 mx1.example.com mx1
# These lines are the same on every node:
10.0.64.12 panel.example.com panel
10.0.64.13 web01.example.com web01
10.0.64.14 mx1.example.com mx1
10.0.64.15 mx2.example.com mx2
10.0.64.16 ns1.example.com ns1
10.0.64.17 ns2.example.com ns2
10.0.64.18 webmail.example.com webmail

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

As you can see, we added the hostnames of our other servers aswell, so they can communicate over the internal network later.

Then edit the /etc/hostname file:

nano /etc/hostname

It shall contain only the subdomain part, in our case:

mx1

Finally, reboot the server to apply the change:

systemctl reboot

Log in again and check if the hostname is correct now with these commands:

hostname
hostname -f

The output shall be like this:

[email protected]:~$ hostname
mx1
[email protected]:~$ hostname -f
mx1.example.com

4.2 Installing ISPConfig

Now we can run the autoinstaller for all packages and ISPConfig:

wget -O - https://get.ispconfig.org | sh -s -- --no-dns --no-roundcube --no-mailman --use-php=system --use-unbound --interactive

After some time, you will see:

WARNING! This script will reconfigure your complete server!
It should be run on a freshly installed server and all current configuration that you have done will most likely be lost!
Type 'yes' if you really want to continue:

Answer "yes" and hit enter. The installer will now start.

When the installation and configuration of the packages is done, the root password for MySQL on mx1 will be shown. Write this down (along with the servername, to prevent any confusion later).

Now we will have to answer some questions as we are using interactive mode. This is necessary as this server will be added to your multiserver setup.

[INFO] Installing ISPConfig3.
[INFO] Your MySQL root password is: kl3994aMsfkkeE


--------------------------------------------------------------------------------
 _____ ___________   _____              __ _         ____
|_   _/  ___| ___ \ /  __ \            / _(_)       /__  \
  | | \ `--.| |_/ / | /  \/ ___  _ __ | |_ _  __ _    _/ /
  | |  `--. \  __/  | |    / _ \| '_ \|  _| |/ _` |  |_ |
 _| |_/\__/ / |     | \__/\ (_) | | | | | | | (_| | ___\ \
 \___/\____/\_|      \____/\___/|_| |_|_| |_|\__, | \____/
                                              __/ |
                                             |___/ 
--------------------------------------------------------------------------------


>> Initial configuration  

Operating System: Debian 10.0 (Buster) or compatible

    Following will be a few questions for primary configuration so be careful.
    Default values are in [brackets] and can be accepted with <ENTER>.
    Tap in "quit" (without the quotes) to stop the installer.


Select language (en,de) [en]: <-- Hit enter

Installation mode (standard,expert) [standard]: <-- expert

Full qualified hostname (FQDN) of the server, eg server1.domain.tld  [mx1.example.com]: <-- Hit Enter

MySQL server hostname [localhost]: <-- Hit Enter

MySQL server port [3306]: <-- Hit Enter

MySQL root username [root]: <-- Hit Enter

MySQL root password []: <-- Enter the MySQL password the script just gave you

MySQL database to create [dbispconfig]: <-- Hit Enter

MySQL charset [utf8]: <-- Hit Enter

The next two questions are about the internal ISPConfig database user and password.
It is recommended to accept the defaults which are 'ispconfig' as username and a random password.
If you use a different password, use only numbers and chars for the password.

ISPConfig mysql database username [ispconfig]: <-- Hit Enter

ISPConfig mysql database password [aakl203920459853sak20284204]: <-- Hit Enter

Shall this server join an existing ISPConfig multiserver setup (y,n) [n]: <-- y

MySQL master server hostname []: <-- panel.example.com

MySQL master server port []: <-- Hit Enter

MySQL master server root username [root]: <-- Hit Enter

MySQL master server root password []: <-- the password you gave the external root user on the master server.

MySQL master server database name [dbispconfig]: <-- Hit Enter

Adding ISPConfig server record to database.

Configure Mail (y,n) [y]: <-- Hit enter

Configuring Postgrey
Configuring Postfix
Generating a RSA private key
......................................................................++++
....................++++
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- Hit enter
State or Province Name (full name) [Some-State]: <-- Hit enter
Locality Name (eg, city) []: <-- Hit enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Hit enter
Organizational Unit Name (eg, section) []: <-- Hit enter
Common Name (e.g. server FQDN or YOUR name) []: <-- Hit enter
Email Address []: <-- Hit enter
[WARN] autodetect for Mailman failed
Force configure Mailman (y,n) [n]: <-- Hit enter

Skipping Mailman

Configuring Dovecot
Creating new DHParams file, this takes several minutes. Do not interrupt the script.
Configuring Spamassassin
[WARN] autodetect for Amavisd failed
Force configure Amavisd (y,n) [n]: <-- Hit enter

Skipping Amavisd

Configuring Rspamd
Configuring Getmail
Configuring Jailkit
Configuring Pureftpd
Configure DNS Server (y,n) [y]: <-- n

The Web Server option has to be enabled when you want run a web server or when this node shall host the ISPConfig interface.
Configure Web Server (y,n) [y]: <-- Hit enter

Configuring Apache
Configuring vlogger
[WARN] autodetect for OpenVZ failed
Force configure OpenVZ (y,n) [n]: <-- Hit Enter

Skipping OpenVZ

Configure Firewall Server (y,n) [y]: <-- Hit Enter

Configuring Ubuntu Firewall
[WARN] autodetect for Metronome XMPP Server failed
Force configure Metronome XMPP Server (y,n) [n]: <-- Hit Enter

Skipping Metronome XMPP Server

Configuring Fail2ban
Install ISPConfig Web Interface (y,n) [n]: <-- Hit Enter

Do you want to create SSL certs for your server? (y,n) [y]: <-- Hit Enter

Checking / creating certificate for mx1.example.com
Using certificate path /etc/letsencrypt/live/mx1.example.com
Using apache for certificate validation
Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: <-- Hit Enter

Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]: <-- Hit Enter

Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
......................+...........................................+...............
Configuring Apps vhost
Configuring DBServer
Installing ISPConfig crontab
no crontab for getmail
Detect IP addresses
Restarting services ...
Installation completed.
[INFO] Adding php versions to ISPConfig.
[INFO] Checking all services are running.
[INFO] mysql: OK
[INFO] clamav-daemon: OK
[INFO] postfix: OK
[INFO] bind9: OK
[INFO] pureftpd: OK
[INFO] apache2: OK
[INFO] rspamd: OK
[INFO] redis-server: OK
[INFO] dovecot: OK
[INFO] Installation ready.
[INFO] Your MySQL root password is: kl3994aMsfkkeE
[INFO] Warning: Please delete the log files in /tmp/ispconfig-ai/var/log/setup-* once you don't need them anymore because they contain your passwords!

4.3 Setting up replication for Dovecot

We are going to use dsync to synchronise the emails between mx1 and mx2, for redundancy.

The custom settings for dovecot have to be stored in /usr/local/ispconfig/server/conf-custom/install/dovecot_custom.conf.master so you don't lose them when updating ISPConfig.

nano /usr/local/ispconfig/server/conf-custom/install/dovecot_custom.conf.master

Put the following in there:

protocol imap {
  mail_plugins = $mail_plugins quota imap_quota notify replication
}
protocol pop3 {
  mail_plugins = $mail_plugins quota notify replication
}
protocol lda {
  mail_plugins = $mail_plugins sieve quota notify replication
}
protocol lmtp {
  mail_plugins = $mail_plugins sieve quota notify replication
}
doveadm_password = /(:&p-J:4e%?\@Q-;VSE#3Dmfm[fVK&r-mx1
doveadm_port = 12345
replication_max_conns = 50

ssl_client_ca_dir = /etc/ssl/certs

# Replicator process should be started at startup, so it can start replicating users immediately:
service replicator {
  process_min_avail = 1
}

# The mail processes need to have access to the replication-notify fifo and socket.
service aggregator {
    fifo_listener replication-notify-fifo {
        user = vmail
        mode = 0666
    }

    unix_listener replication-notify {
        user = vmail
        mode = 0666
    }
}

# Enable doveadm replicator commands
service replicator {
    unix_listener replicator-doveadm {
        mode = 0666
    }
}

# Create a listener for doveadm-server
service doveadm {
    user = vmail
    inet_listener {
        port = 12345
        ssl = yes
    }
}
service config {
    unix_listener config {
        user = vmail
    }
}

plugin {
    mail_replica = tcps:mx2.example.com
}

Replace the doveadm_password with your own password - make it a long and random string for security reasons.

Replace

mail_replica = tcps:mx2.example.com

with your own hostname of mx2.

To apply these changes, copy the file to the dovecot folder and restart dovecot:

cp /usr/local/ispconfig/server/conf-custom/install/dovecot_custom.conf.master /etc/dovecot/conf.d/99-ispconfig-custom-config.conf
systemctl restart dovecot

4.4 Setting up synchronisation for Rspamd

Rspamd has a nice web UI. We are going to set up our servers as neighbours so you can view the settings, stats, and other data in one panel.

nano /usr/local/ispconfig/server/conf-custom/install/rspamd_options.inc.master

Add these lines:

# Configuration from the ISPConfig template (must be updated if there are changes)
# Addrs local to this server.
local_addrs = [
    "127.0.0.0/8",
    "::1",
  ];

# This list is generated by ISPConfig, place custom addresses/networks in local_networks.inc.
local_networks = "/etc/rspamd/local.d/local_networks.inc";

dns {
    nameserver = ["127.0.0.1:53:10"];
}

# Custom configuration:
neighbours {
    mx1 {
        host = "https://mx1.example.com:443";
        path = "/rspamd/";
    }
    mx2 { 
        host = "https://mx2.example.com:443";
        path = "/rspamd/";
    }
}
# Last updated: 19-01-2022

Replace the hostnames with the correct hostnames for your main and secondary mail server. This config should be updated if the template changes, so make sure you verify this when updating ISPConfig.

Now we are going to add a website for this server in ISPConfig. Go to Sites -> Add new website and add the website "mx1.example.com". Make sure you create this on the correct server (mx1.example.com). Disable auto-subdomain, and enable SSL + Let's Encrypt. Then, go to options, and paste this in the Apache directives section:

RewriteEngine On
RewriteRule ^/rspamd$ /rspamd/ [R,L]
RewriteRule ^/rspamd/(.*) http://127.0.0.1:11334/$1 [P]
Header set Access-Control-Allow-Origin https://mx2.example.com

Replace mx2.example.com with the hostname of the secondary nameserver.

Lastly, we have to enable some Apache modules and restart our services:

a2enmod proxy_balancer proxy_http
systemctl restart rspamd
systemctl restart apache2

4.5 Securing the mail server with a valid SSL certificate

For a working DSYNC and Roundcube setup, you need to have a valid SSL certificate in place for the used hostnames. This certificate can not be self-signed. If you are going to use additional hostnames for this server, like imap.example.com and smtp.example.com, or if the installer could not create a valid certificate when installing, follow this guide to set up a valid certificate for your mail server: https://www.howtoforge.com/securing-your-ispconfig-3-managed-mailserver-with-a-valid-lets-encrypt-certificate/

4.6 Setting up the firewall

The last thing to do is to set up our firewall.

Log in to the ISPConfig UI, and go to System -> Firewall. Then click "Add new firewall record".

Make sure you select the correct server. For our mailserver, we have to open the following ports:

TCP:

22,25,80,110,143,443,465,587,993,995

No UDP ports have to be opened through the UI.

We are also going to open port 3306, which is used for MySQL, and port 12345, which is used for dsync, but only from our local network for security reasons. To do so, run the following command from the CLI, after the change from the ISPConfig panel is propagated (when the red dot is gone):

ufw allow from 10.0.64.0/24 to any port 3306 proto tcp
ufw allow from 10.0.64.0/24 to any port 12345 proto tcp
Share this page:

9 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: Abacop
Reply  

In "4.4 Setting up synchronisation for Rspamd" it says:

Replace the hostnames with the correct hostnames for your main and secondary nameserver.

 

I guess it should be:

Replace the hostnames with the correct hostnames for your main and secondary mailserver.

By: Radu Ghidiceanu
Reply  

What about mailman? It is suggested to be abandoned ?

Or remove --no-mailman option and follow the older installation examples ?

By: arnold61
Reply  

[WARN] autodetect for Spamassassin failed

...

Configuring Rspamdchgrp: Zugriff auf '/etc/rspamd/local.d/worker-controller.inc' nicht möglich: Datei oder Verzeichnis nicht gefundenchmod: Zugriff auf '/etc/rspamd/local.d/worker-controller.inc' nicht möglich: Datei oder Verzeichnis nicht gefunden...

clamav-daemon: FAILED

in actuall script with debian 11

 

By: arnold61
Reply  

I cannot setup in interaktive mode the mailserver without errors, the autoinstaller seems to be broken, commit on github failed as I can see since 2 weeks. Non interaktice mode worked, but i need a debian 11 mailserver in a multiserver setup. not useable in production this way :-(

By: till
Reply  

Neither ISPConfig nor the auto-installer is hosted on GitHub, we have our own GITLab-based system at git.ispconfig.org. So if you tried to commit something on Github, then you are not talking about the software used here in this guide. And committing to our git servers is only possible for users that contacted us first to get developer access permissions, so if you don't requested developer access, then you can not commit. I commit code regularly to git.ispconfig.org and there are no issues with committing code.

By: arnold61
Reply  

I mean your git sorry. https://git.ispconfig.org/ispconfig/ispconfig-autoinstaller/-/tree/master

By: till
Reply  

The steps to contribute code are:

 

1) Sign up for an account on our git server.

2) Contact us by e.g. by using contact form at ispconfig.org to get developer permissions for your account.

3) Create an issue for the problem or feature on our git server.

4) Create a merge request and branch where you implement your changes. When finished, we will review the code changes and merge them into master.

By: arnold61
Reply  

Till the pipeline on your server has status failed for the autoinstaller since weeks! I cannot setup a multiserver setup with debian 11 without errors (clamav, rspamd) on the mailserver. But I need to go to production asap. The Installer was working some month ago in a promox setup. Now only single Server setup is working ok with the autoinstaller.

By: till
Reply  

The pipeline on the GIT server is not related to the use of the auto-installer, it is just about automatically testing new committed changes and get checked manually when we release new versions, so its status does not matter for your installation. Noneteheless, I just checked the pipeline status and there are no failed jobs on the GIT system. I installed a mail system on Ubuntu 20.04 and Debian 11 about 2 days ago, both work fine and are already used in production as of today. There is no difference in auto-installer regarding single and multiserver setup, it's the exact same code lines used for both setups. If you need help with your installation, please only use the ISPConfig support forum or contact business support on ispconfog.org as we can not debug individual issues here in the comment section.