The Perfect Server - Debian 8.4 Jessie (Apache2, BIND, Dovecot, ISPConfig 3.1)

This tutorial shows how to prepare a Debian Jessie server (with Apache2, BIND, Dovecot) for the installation of ISPConfig 3.1, and how to install ISPConfig. The web hosting control panel ISPConfig 3 allows you to configure the following services through a web browser: Apache or nginx web server, Postfix mail server, Courier or Dovecot IMAP/POP3 server, MySQL, BIND or MyDNS nameserver, PureFTPd, SpamAssassin, ClamAV, and many more. This setup covers Apache (instead of nginx), BIND, and Dovecot (instead of Courier).

1 Preliminary Note

In this tutorial, I will use the hostname with the IP address and the gateway These settings might differ for you, so you have to replace them where appropriate. Before proceeding further you need to have a minimal installation of Debian 8. This might be a Debian minimal image from your Hosting provider or you use the Minimal Debian Server tutorial to setup the base system.

What's new in this version of the tutorial?

  • Support for the new ISPConfig 3.1 features.
  • Support for Let's Encrypt SSL certificates.
  • Support for HHVM (HipHop Virtual Machine) to run PHP scripts.
  • Support for XMPP (Metronome).
  • Support for EMail Greylisting with Postgrey.
  • UFW as Firewall to replace Bastille.
  • RoundCube Webmail instead of Squirrelmail.

2 Install the SSH server (Optional)

If you did not install the OpenSSH server during the system installation, you can do it now:

apt-get install ssh openssh-server

From now on you can use an SSH client such as PuTTY and connect from your workstation to your Debian Jessie server and follow the remaining steps from this tutorial.

3 Install a shell text editor (Optional)

We will use nano text editor in this tutorial. Some users prefer the classic vi editor, therefore we will install both editors here. The default vi program has some strange behavior on Debian and Ubuntu; to fix this, we install vim-nox:

apt-get install nano vim-nox

If vi is your favorite editor, then replace nano with vi in the following commands to edit files.

4 Configure the Hostname

The hostname of your server should be a subdomain like "". Do not use a domain name without subdomain part like "" as hostname as this will cause problems later with your mail setup. First, you should check the hostname in /etc/hosts and change it when necessary. The line should be: "IP Address - space - full hostname incl. domain - space - subdomain part". For our hostname, the file shall look like this:

nano /etc/hosts       localhost.localdomain   localhost     server1

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Then edit the /etc/hostname file:

nano /etc/hostname

It shall contain only the subdomain part, in our case:


Finally, reboot the server to apply the change:


Login again and check if the hostname is correct now with these commands:

hostname -f

The output shall be like this:

[email protected]:/tmp# hostname
[email protected]:/tmp# hostname -f


5 Update Your Debian Installation

First make sure that your /etc/apt/sources.list contains the jessie/updates repository (this makes sure you always get the newest security updates), and that the contrib and non-free repositories are enabled (some packages such as libapache2-mod-fastcgi are not in the main repository).

nano /etc/apt/sources.list

#deb cdrom:[Debian GNU/Linux 8.0.0 _Jessie_ - Official amd64 NETINST Binary-1 20150425-12:50]/ jessie main

deb jessie main contrib non-free
deb-src jessie main contrib non-free

deb jessie/updates main contrib non-free
deb-src jessie/updates main contrib non-free


apt-get update

To update the apt package database

apt-get upgrade

and to install the latest updates (if there are any).


6 Change the default Shell

/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore we do this:

dpkg-reconfigure dash

Use dash as the default system shell (/bin/sh)? <- no

If you don't do this, the ISPConfig installation will fail.


7 Synchronize the System Clock

It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the Internet. Simply run

apt-get install ntp

and your system time will always be in sync.


8 Install Postfix, Dovecot, MySQL, rkhunter, and Binutils

We can install Postfix, Dovecot, MySQL, rkhunter, and binutils with a single command:

apt-get install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd sudo

When you prefer MySQL over MariaDB, replace the packages "mariadb-client mariadb-server" in the above command with "mysql-client mysql-server".

You will be asked the following questions:

General type of mail configuration: <-- Internet Site
System mail name: <--
New password for the MariaDB "root" user: <-- yourrootsqlpassword
Repeat password for the MariaDB "root" user: <-- yourrootsqlpassword

To secure the MariaDB / MySQL installation and to disable the test database, run this command:


We dont have to change the MySQL root password as we just set a new one during installation. Answer the questions as follows:

Change the root password? [Y/n] <-- n
Remove anonymous users? [Y/n] <-- y
Disallow root login remotely? [Y/n] <-- y
Remove test database and access to it? [Y/n] <-- y
Reload privilege tables now? [Y/n] <-- y

Next, open the TLS/SSL and submission ports in Postfix:

nano /etc/postfix/

Uncomment the submission and smtps sections as follows and add lines where nescessary so that this section of the file looks exactly like the one below.

submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING [...]

Restart Postfix afterwards:

service postfix restart

We want MariaDB to listen on all interfaces, not just localhost, therefore, we edit /etc/mysql/my.cnf and comment out the line bind-address =

nano /etc/mysql/my.cnf

# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           =

Then we restart MySQL:

service mysql restart

Now check that networking is enabled. Run

netstat -tap | grep mysql

The output should look like this:

[email protected]:/# netstat -tap | grep mysql
tcp6 0 0 [::]:mysql [::]:* LISTEN 16806/mysqld


9 Install Amavisd-new, SpamAssassin, and ClamAV

To install amavisd-new, SpamAssassin and ClamAV, we run

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl postgrey

The ISPConfig 3 setup uses amavisd which loads the SpamAssassin filter library internally, so we can stop SpamAssassin to free up some RAM:

service spamassassin stop
systemctl disable spamassassin

9.1 Install Metronome XMPP Server (optional)

This step installs the Metronome XMPP Server which provides a chat server that is compatible with the XMPP protocol. This step is optional, if you do not need a chat server, then you can skip this step. No other ISPConfig functions depend on this software.

Add the Prosody package repository in Debian.

echo "deb jessie main" > /etc/apt/sources.list.d/metronome.list
wget -O - | sudo apt-key add -

Update the package list:

apt-get update

and install the packages with apt.

apt-get install git lua5.1 liblua5.1-0-dev lua-filesystem libidn11-dev libssl-dev lua-zlib lua-expat lua-event lua-bitop lua-socket lua-sec luarocks luarocks

luarocks install lpc

Add a shell user for Metronome.

adduser --no-create-home --disabled-login --gecos 'Metronome' metronome

Download Metronome to the /opt directory and compile it.

cd /opt; git clone metronome
cd ./metronome; ./configure --ostype=debian --prefix=/usr
make install

Metronome has now be installed to /opt/metronome.

Share this page:

Suggested articles

95 Comment(s)

Add comment


From: David at: 2016-04-29 22:07:09

Hi Folk, why do you install xcache? i would install zend opcache. 

From: sannom at: 2016-05-05 20:07:05

hello, I can't install hhvm "failed to fetch   Unable to find entry 'main/binary-armhf/Packages' in release file(wrong sources.list entry or malformed file)   some index files failes to dowload......ect

Could you help me fix this?

From: sannom at: 2016-05-05 21:07:12


i don't know if hhvm is necesary but it doesn't install, so i continue step 11 and 12 but now i have E:package 'libapache2-mod-fastcgi' has no installation candidate

could you help me fix it..

From: till at: 2016-05-15 09:18:12

Check your /etc(apt/sources.list file and ensure that all Debian repositories (main contrib non-free) are active as described in this tutorial.

From: herbert at: 2017-11-22 01:17:01

just remove /etc/apt/sources.list.d/hhvm.list

From: BatteriesInc at: 2016-05-10 17:17:56

Small note: might be worth adding your excellent munin/monit tutorial to this setup, ISPC has support for it.

From: Tim at: 2016-05-10 17:23:13

I wen through this whole install and everything works except for roundcube.  When I try to login I get "Connection to storage server failed".  I have tried removing and reinstalling roundcube, also removed and readded user to ispconfig.  Please help

From: corpus at: 2016-05-14 04:43:24

Hello. HHVM is available only for 64bit

From: erama at: 2016-05-18 21:44:42

Thank you!You are genius. Always do you help me with the best tutorials.

From: Ritooon at: 2016-05-19 22:16:45

Hi ! 

First, thanks for the tutorial ! 

I have an error at the 14th step, when I try to modify fstab

I do it, then use the next command (mount -o remount /) and then the next (quotacheck -avugm), that give me an error : 

quotacheck: Cannot stat() mounted device /dev/root: Aucun fichier ou dossier de ce type

quotacheck: Cannot find filesystem to check or filesystem not mounted with quota option.


This is my file : 


# <file system> <mount point>   <type>  <options>       <dump>  <pass>

/dev/sda1       /       ext4    errors=remount-ro,relatime,discard,usrjquota=quota.user,,jqfmt=vfsv0       0       1

#/dev/sda1      /       ext4    errors=remount-ro,relatime,discard,usrjquota=quota.user,,jqfmt=vfsv0 0 1

/dev/sda2       /home   ext4    defaults,relatime,discard       1       2

/dev/sda3       swap    swap    defaults        0       0

proc            /proc   proc    defaults                0       0

sysfs           /sys    sysfs   defaults                0       0

tmpfs           /dev/shm        tmpfs   defaults        0       0

devpts          /dev/pts        devpts  defaults        0       0


Thanks for your help ! 

Cheers ! :)

From: Angel Rodriguez at: 2017-05-22 00:30:08

From: David Bucknell at: 2017-02-26 19:43:50 Check page 2 of the tutorial. If you are running on virtual private server you might need to create a symbolic link to the mount point and make it resilient to rebooting. I had the same problem a few months ago when setting up my server.


Hope this helps. Das Medium

From: uniQ at: 2016-05-24 13:21:48

Hi, does anyone here know how to sign my ISPConfig webinterface with letsencrypt? I tried to create a certificate manually but it returned with an error saying "Domain:

Type: unauthorized

Detail: Invalid response from


"<!DOCTYPE html>

<html lang="en-US" prefix="og: fb:">


<meta charset="UTF-8">"

From: uniQ at: 2016-05-25 07:09:22

Jesse Norell posted this in another thread, which actually works:[CODE]/root/.local/share/letsencrypt/bin/letsencrypt auth --text --agree-tos --authenticator webroot --server --rsa-key-size 4096 --email [email protected]`hostname -d` --domains `hostname -f` --webroot-path /usr/local/ispconfig/interface/acme

dt=`date '+%Y%m%d%H%M%S'`

cd /usr/local/ispconfig/interface/ssl/

for ext in csr key crt; do if [ -f ispserver.$ext ]; then mv ispserver.$ext ispserver.$ext.old.$dt; fi; done

ln -s /etc/letsencrypt/live/`hostname -f`/privkey.pem ispserver.key

ln -s /etc/letsencrypt/live/`hostname -f`/fullchain.pem ispserver.crt

service apache2 restart[CODE]

From: Keldan at: 2016-05-24 15:11:33

By default, fail2ban and IspConfig don't use UFW to ban/unban IP or create Firewall rules. This parameter can be change into Sytem Tab > Server Config for ISPC. But for fail2ban ? Directly into a .conf file ? Or IspConfig configure fail2ban automatically ?


From: till at: 2016-05-24 15:16:55

Fail2ban is active automatically and there is no additional configuration required then what is written in this tutorial.

From: mzips at: 2016-06-01 04:37:58

Pleas Update the Lets Encrypt part withe CertBot


From: webhunter at: 2016-06-03 20:35:14

Hm, installation completed but postfix throws an error:

"fatal: no SASL authentication mechanisms"

I followed the instructions step by step. ISPConfig is working fine.  But e-mails do not work..

Any suggestions?

Thank you!

From: NixXxon at: 2016-06-06 08:54:35


thank you for the great guide - worked fine on a virtual machine on my laptop BUT on my V-Server i get the following error:

Failed to read /proc/cmdline. Ignoring: No such file or directory

Failed to get D-Bus connection: Unknown error -1


I googled and read something about a bug in debian with sysvinit and upstart ( but I'm not really pro and not sure if that REALLY related to my problem.


I really hope you can help me out?!


Thanks in advance,


From: marcel at: 2016-06-07 09:45:56

On the PHP code is not being executed. It shows me the code insteadt. is working.


From: jrodgers at: 2016-06-09 20:52:40

The command apt-get install libapache2-mod-fastcgi php5-fpm won't run without adding contrib and non-free after main in the sources list. 

From: till at: 2016-06-10 06:46:42

Correct, and that's why step 5 of the tutorial how you how to do that.

From: Michael at: 2016-06-14 20:16:04

Lets Encrypt ist out of date can you Fix it that was very nice.

From: ralf at: 2016-06-22 23:55:16

Irgent etwas scheint bei der roundcube install nicht zu stimmen. Beim aufrufen nach der ispconfig 3.1 install kommt nur das:

/ // include environment require_once 'program/include/iniset.php'; ... etc gibt es da schon eine lösung?

From: ricardo sanchez at: 2016-07-17 17:51:13

Hi following this, It presents error in the receipt of email. since rouncube send email but not receive. and to verify the email address out error [[email protected] - Result: Bad] and this other [This is an Automatically generated Delivery Status NotificationTHIS IS A WARNING MESSAGE ONLY.YOU DO NOT NEED TO RESEND YOUR MESSAGE.Delivery to the following recipient has-been delayed:      [email protected] will be retried for 0 more day (s)Technical details of temporary failure:The recipient server did not accept our requests to connect. Learn more at[ socket error]]

From: ricardo sanchez at: 2016-07-19 22:27:17

Hi following this, It presents error in the receipt of email. since rouncube send email but not receive. and to verify the email address out error [[email protected] - Result: Bad] and this other [This is an Automatically generated Delivery Status NotificationTHIS IS A WARNING MESSAGE ONLY.YOU DO NOT NEED TO RESEND YOUR MESSAGE.Delivery to the following recipient has-been delayed:      [email protected] will be retried for 0 more day (s)Technical details of temporary failure:The recipient server did not accept our requests to connect. Learn more at[ socket error]]

Some solution to receive mail. Thank you

From: Shafeek at: 2016-07-20 09:48:33

For Roundcube to work with or, Need to add the following to /etc/apache2/conf-enabled/roundcube.conf  under <Directory /var/lib/roundcube/>

AddType application/x-httpd-php .php

Else it displays the php code directly as text instead of roundcube login page. 


From: Carlos Nogueira at: 2016-07-28 21:34:14

This is basic but missing dialog pakage in my server, install before 8....

From: ricardo sanchez at: 2016-07-31 16:21:44

Thanks, solved

The detail is here [...] nano /etc/postfix/

From: Ainer Roll at: 2016-08-17 17:21:06

Works fine but.... I tried to install the ISPConfig Roundcube plugin with tutorial "RoundCube webmail installation on Debian 8", but that does'nt work.  Can you please expand this tutorial ? Thanks


From: mike at: 2016-09-06 19:22:46

hey there! good tutorial.i've did all the steps in this tutorial but when i go in my /webmail (roundcube) i am unable to send mails. after that i went to this tutorial and created the roundcube remote user in ISP exactly as described.

A peak into phpadmin tells me the remote user 'roundcube' has the rights he needs. Naturally i created a new domain and mailbox in ISP3 under 'Email'.

Now if i go into /webmail and try to send an email roundcube keeps loading. no error.Kind regards!

From: Edgar at: 2016-09-09 00:44:01

Hi, I have a problem, if I send emails from the command line, it works, but, if sending mail from roundcube appears errror "SMTP Error (454): Could not establish recipient (4.7.1 Relay access denied)."

The postconf -n is:

alias_database = hash:/etc/aliases

alias_maps = hash:/etc/aliases

append_dot_mydomain = no

biff = no

config_directory = /etc/postfix

html_directory = /usr/share/doc/postfix/html

inet_interfaces = all

mailbox_command = procmail -a "$EXTENSION"

mailbox_size_limit = 0

mua_client_restrictions =

mydestination =,, , localhost

myhostname =

mynetworks = [::ffff:]/104 [::1]/128

myorigin = /etc/mailname

readme_directory = /usr/share/doc/postfix

recipient_delimiter = +

relayhost =

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)

smtpd_recipient_restrictions =

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem

smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

smtpd_use_tls = yes


Thank you very much for the help

From: MasterBotWeb at: 2016-10-17 07:39:39


In your configuration "inet_protocol" is missing, set is ipv4 and try again. Thank you.

From: computerwuffi at: 2016-09-19 18:20:44


I unfortunately installed the wrong version of jailkit. How can I update this? Can I now just repeat all the steps of this tutorial with the correct version or do I have to uninstall anything? If so, how do I do that?

Could you help me fix this?


From: Blake at: 2016-09-21 20:32:46

Hi, I have followed the guide exactly, but when I type in it takes me to a text page that starts with <?php

/* +-------------------------------------------------------------------------+ | Roundcube Webmail IMAP Client | | Version 1.1.5 | | | | Copyright (C) 2005-2015, The Roundcube Dev Team | | | | This program is free software: you can redistribute it and/or modify | | it under the terms of the GNU General Public License (with exceptions | | for skins & plugins) as published by the Free Software Foundation, | | either version 3 of the License, or (at your option) any later version.

From: Francesco at: 2016-09-27 13:37:07

hi, it's possibile install PHP 7 instead of 5?

it's recommended per ISPConfig?

From: till at: 2016-09-27 13:40:19

You can install PHP 7 as additional PHP version:

From: Androbot at: 2016-09-27 16:42:57

Hey, can i use Webmin instead of ISPConfig?

From: till at: 2016-09-27 16:53:47

You can use Webmin, but Webmin is just a visual config file editor and not a Hosting control panel and all the "glue" to use the services together is done by the ispconfig installer and the ispconfg panel, so using this setup without ispconfig makes not much sense as you have just a bunch of unconfigured services then.

From: Androbot at: 2016-09-28 06:08:32

Ah ok, Thank you i think i will take ISPConfig.

But what do you think about Nginx? Is it better than Apache?

From: Piotr at: 2016-09-29 11:10:40

I got SEC_ERROR_UNKNOWN_ISSUER for this ssl encryption of isp login site

From: till at: 2016-09-29 11:19:09

That's ok and not an error. It just means that you are using a self-signed SSL certificate.

From: Baptiste at: 2016-10-02 19:02:49

After selecting no on the let's encrypt screen, I got "Please specify --domains, or --installer that will help in domain names autodiscovery" and then back to command line #[email protected]: /opt/certbot#Is that it or something's gone wrong?

From: Michal at: 2016-10-07 06:28:23



Thanks for this instructions.

I found issue with using RoundCube:

I have 2 customers with domain-1.tld and domain-2.tld

when i login to webmail [email protected] account and i add additional identity (email allies) [email protected] i can sent emails as someone else / from different domain.

Is ther way to block this and allow sending emails only from domains that are assigned in ISP to this domain / account?


As this looks like potential source of spam / phishing it will be superb to block this





From: till at: 2016-10-07 06:46:22

Sending an email with RoundCube requires a correctly authenticated email user, so there is no way that an external person can send spam or phising emails. Only your mail users can send an email.


Webmail and other local installed software on your server can send with any from address as it connects to localhost on your server and localhost is in mynetworks. If you don't want to be able to use different from addresses, then configure your webmail application to connect to the external server IP and to use the username and password of the user to authenticate itself to postfix plus enable in the ispconfig under system > server config > mail "Reject sender and login mismatch".

From: robi1kenobi at: 2016-10-25 19:08:41


When I type, I get apache default page. I tried changing port to 2083, same thing.

Please help, what to do?


From: freegate at: 2016-10-29 12:19:20


I can not receive email. Still, I can send.

I have carefully followed the tutorial. Apparently others have had the same problem but did not share the solution.

An idea of resolution?


From: till at: 2016-10-29 12:47:24

The most likely reason is that your ISP blocks sending, so that's not a problem on your server. The setup is working fine and needs no midifications. If you need help, post your issue in the forum together with a log excerpt of the mail.log file.

From: freegate at: 2016-10-29 22:51:13

I found the problem.

By default, setup of "" : inet_interfaces = loopback-only

I changed : inet_interfaces = all

It's ok now.

From: hitodev at: 2016-10-29 13:49:47


No need to create remote user in IspConfig for Roundcub ?

From: till at: 2016-10-29 14:03:14

There is no remote user needed. Roundcube connects directly to postfix and dovecot.

From: John at: 2016-11-04 07:17:48

i have error on HHVM:

[email protected]:/opt/certbot# sudo apt-get install hhvm

Reading package lists... Done

Building dependency tree       

Reading state information... Done

E: Unable to locate package hhvm

[email protected]:/opt/certbot#

From: KSB at: 2016-11-07 19:57:43

 Linux quota v2 files (kernel 2.4+) should be called aquota.user and

From: SimonGilli at: 2016-11-11 12:28:03

Hi Till, thanks for the next great guide! As in the older versions you install ntp and ntpdate. At the debian package description of ntpdate is written there's no need for ntpdate if ntp is installed. ntpdate is for the use on computers which aren't always online like laptops. Is there an other reason to install this package?

From: till at: 2016-11-11 13:32:01

I was not aware of that, so we probably don't need ntpdate then.

From: remifr at: 2016-11-13 08:52:14

Is it normal that there is no rule added to iptables with fail2ban ? Usually I see all the policies that we have in jail.local but when I type "iptables -L" I see nothing. Nothing in fail2ban logs.

# iptables -LChain INPUT (policy ACCEPT)target     prot opt source               destinationChain FORWARD (policy ACCEPT)target     prot opt source               destinationChain OUTPUT (policy ACCEPT)target     prot opt source               destination

From: remifr at: 2016-11-13 09:31:34

Ignore my previous comment, I had missing filters and logs weren't saying anything about it. I saw in "service fail2ban status"

From: Thibaut at: 2016-11-23 03:43:46

Regarding the installation of XCache:

PHP 5.5+ comes with OPcache out of the box. Following this guide installed PHP Version 5.6.27-0+deb8u1 with opcache enabled by default.

Having both cache mechanisms enabled at the same time can result in unpredictable behaviour.In my case I mainly experimented two weird situations:

 - some DokuWiki web sites would not render properly, in an apparent random manner. After being moved to another virtual host, they'd still use their "old" root path.

 - a Piwik installation would render blank pages when trying to access website's statistics.

One information that led me to the conclusion that the cache mechanisms were involved was a PHP error reported in the logs containing the following:

stderr: PHP message: PHP Fatal error:  Cannot redeclare class ...

As OPcache is now incorporated by Zend into the standard PHP installation I decided to completely disable XCache. This can be done by commenting out all lines in /etc/php5/fpm/conf.d/20-xcache.ini by typing a semicolon (;) at the start of each line. Then restarting the services:

> nano /etc/php5/fpm/conf.d/20-xcache.ini Put a semicolon (;) at the start of EACH LINE > service php5-fpm restart > service apache2 restart

It also seems possible to disable XCache on a directory basis by creating a .user.ini file containing xcache.cacher=0 in the targeted directory. I didn't try this, but here is a google groups reference.

Maybe the installation of XCache should be made optional (and not recommended) based on this fact ?

Anyway, I hope this info might come handy to some readers in case they experiment the same issues I've been facing.

Best regards.

From: Thomas at: 2016-11-24 09:08:54

Thanks for that wonderful "walk to heaven"Everything was working like a charm..Thanks for your time doing this wonderful tutorial..

From: kurt at: 2016-12-01 14:57:13

Thank you for the great tutorial. Everything works fine. I added several sites and mail accounts on my test vps server. 

But one thing does not work:

When I try to connect my mail client (mail on Mac or on my Android pad) as IMAP or POP

The answer is :

"impossible to verify name or pwd of the account"


anybody an idea what's wrong ?

From: elbaze at: 2016-12-05 17:03:36

Hello, i did everything and i added a prestashop but i have an error 500 (without any error in front office) but i have this in syslog

Dec  5 17:58:55 vps348302 kernel: [  713.374706] traps: php-cgi[2317] general protection ip:70802d sp:7ffed40b1310 error:0 in php5-cgi[400000+7ed000]


any idea ? 

From: Leandro at: 2016-12-05 21:29:16

Como faço para instalar o wordpress e o Mautic

From: elplubio at: 2016-12-10 09:28:18


I've installed twice to be sure not missing something in tuto.

When checking Let's Encrypt and save in ISPConfig pannel, certificate is well asked and furbish but only for last let's encrypt domaine activated in ISPConfig pannel (even the check box (ssl + let's encrypt) are gone on all domaine exept last configurated one).

So if I need certificate for three site, only the last configurated one will work in https.

The only difference from tuto is that my server is behind a NAT (port 80,443,8080 are of course forwarded).

Any guidline or help would be appreciate.Perhaps a stupid question, but why don't we use let's encrypt install from debian repository?


From: Jackouille-ch at: 2016-12-21 21:47:27

Hi Till,

I am performing a new install with Jessie and I am stuck on step 8:

mail1:~# apt-get install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd sudoReading package lists... DoneBuilding dependency treeReading state information... Doneopenssl is already the newest version (1.0.2j-1).openssl set to manually installed.Some packages could not be installed. This may mean that you haverequested an impossible situation or if you are using the unstabledistribution that some required packages have not yet been createdor been moved out of Incoming.The following information may help to resolve the situation:The following packages have unmet dependencies: mariadb-client : Depends: mariadb-client-10.0 (>= 10.0.28-0+deb8u1) but it is not going to be installed mariadb-server : Depends: mariadb-server-10.0 (>= 10.0.28-0+deb8u1) but it is not going to be installedE: Unable to correct problems, you have held broken packages.

Trying with mysql:

mail1:~# apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd sudoReading package lists... DoneBuilding dependency treeReading state information... Doneopenssl is already the newest version (1.0.2j-1).openssl set to manually installed.Some packages could not be installed. This may mean that you haverequested an impossible situation or if you are using the unstabledistribution that some required packages have not yet been createdor been moved out of Incoming.The following information may help to resolve the situation:The following packages have unmet dependencies: mysql-client : Depends: mysql-client-5.5 but it is not going to be installed mysql-server : Depends: mysql-server-5.5 but it is not going to be installedE: Unable to correct problems, you have held broken packages.

What should I change ?

From: Jackouille-ch at: 2017-01-11 19:41:50

Ok root cause has been found: while selecting the last Debian release I took a beta one. So this is a normal behaviour.

I also reinstall with Official Jessie and everything's went fine!

Great Tuto, many thanks

From: sim at: 2016-12-23 13:40:46

hi thank you for your great tutorial, i've confegured everything as said all works but when i creat a mailbox as a client from ispconfig i can't access to it i got the error connexion fails can you help me please

From: Jörg at: 2017-01-17 20:54:46

Why do you install HHVM? It will not be activated in this How-To. Or did I miss something?

From: David at: 2017-02-08 10:44:16

quotacheck on virtual server:

From: David at: 2017-02-08 10:46:30

Quotacheck on virtual server fails.

Solution is on another howtoforge post:

From: Kris at: 2017-02-09 12:06:27

How to upgrade roundcube from 1.1.5 to 1.3 beta?

From: nancylettuce at: 2017-02-15 04:34:25

I completed this setup in a Devuan 1.0.0 Beta2 (a forge from Debian 8 Jessie with no systemd) server, and I post here for others to follow. As to date I have installed Devuan in a couple dozen machines, and I have had no issues.

I added backports for HHVM and Roundcube, as adviced in this howto.

It went all flawlessly, until I arrived to IspConfig itself (step 21: php -q install.php), which refused to install as it could not find a known distribution, so I edited/created next files in order to make it think this was a Debian 8 server:


/etc/issueDebian GNU/Linux 8 \n \l

/etc/debian_versionPRETTY_NAME="Debian GNU/Linux 8 (jessie)"NAME="Debian GNU/Linux"VERSION_ID="8"VERSION="8 (jessie)"ID=debianANSI_COLOR="1;31"HOME_URL=""SUPPORT_URL=""BUG_REPORT_URL=""

then again:

# php -q install.php

And the installation went on. No problems.

From: nopnop at: 2017-03-01 12:04:26

.htaccess /.htpasswd doesn't seems to be activated

How Can I do this please ?


thank you

From: till at: 2017-03-01 12:07:02

The websites are alls et to AllowOverrideAll by default in ISPConfig, so you can use .htaccess and .htpasswd i a website that you created in ISPConfig without any additional configuration.

From: nopnop at: 2017-03-01 13:34:07

I try this tutorial on debian 8.7.1

here is my /etc/apache2/apache2.conf 


<Directory /var/www/>

        Options Indexes FollowSymLinks MultiViews

        AllowOverride None

        Order allow,deny

        allow from all



why .htacces is not working ? any idea please


thank you

From: till at: 2017-03-01 13:52:27

You are looking in the wrong config file. The configuration of a website in ISPConfig is in the file /etc/apache2/sites-available/yourdomain.tld.vhost. Just create a website in ISPConfig and upload it to /var/www/yourdoamin.tld/web/. In the /var/www/yourdoamin.tld/web/ directory you can use .htaccess and .htpasswd files and you can even manage and create them from within ISPConfig. If you need further help, please post in the forum.

From: David Bucknell at: 2017-03-15 02:08:20

In ISPCONFIG, how can we see what amavis is doing? Or how do we find it on the server? When I do a status check on amavis it says disabled, dead -- just like spam assassin, which was intentionally disabled:

The ISPConfig 3 setup uses amavisd which loads the SpamAssassin filter library internally, so we can stop SpamAssassin to free up some RAM:

service spamassassin stopsystemctl disable spamassassin

From: till at: 2017-03-15 07:50:33

Take a look into the mail log file /var/log/mail.log

From: Peter at: 2017-03-22 06:09:58


none of my sites is using hhvm, but I see one hhvm process which is consuming RAM. Is it safe do purge hhvm from the system?


From: till at: 2017-03-22 07:35:46

You can remove HHVM, it is an optional component.

From: Singh at: 2017-03-26 11:25:42

Is there any complete tutorial on Metronome, which includes, DNS setup, web interface , firewall rules etc ??

From: Scott at: 2017-04-05 20:47:22

Thanks for the tutorial.

A few problems;- In the tutorial, you use a systemd dependent command yet you don't tell people to install this (you should update it so it works for a clean installed Debian).- When getting to the point where you actually install ISPConfig (php -q install.php), systemd can break the installation (maybe you should change the systemd dependent command in the tutorial?).- phpmyadmin doesn't seem to work for me on a clean installation of debian. I simply get a 404 when going to the phpmyadmin page and I tried reconfiguring it and even reinstalling it, yet its still not working (any tips so I can get it working?).

From: till at: 2017-04-06 06:22:58

Thank you for your report. I tested the whole tutorial again and everything works out f the box, I used a clean and empty Debian system as described here as basis and nothing is missing and PHPMyAdmin works as well. ISPConfig is using systemd on Debian 8 and Systemd is the default init system on Debian 8 today, that's why it is always installed when you install a base image as outlined in the Debian 8 minimal tutorial. The problems you reported are specific to your Debian base image where someone removed packages that are part of each standard Debian 8 system. Regarding PHPMyAdmin, ensure that you access it on port 80 and not 8080, you might have to adjust the link under System > Server config and ensure that you really enabled PHPMyAdmin to be configured for apache during install, enabling an option in apt is done with the tab key, it is not enough to put the focus on that option with the arrow keys.

From: jojos at: 2017-04-13 20:39:36

22.1 OpenVZ ... You lost me here. the whole tutorial is clear but this part I don't understand. And I am on a Vm :'(

From: Vaa at: 2017-06-09 16:36:35

When running mount -o remount / I get "unable to find UUID=3dc3b58d-97e5-497b-8254-a913fdfc5408"

From: till at: 2017-06-11 11:33:19

The tutorial told you to add just the quota part to the mount line of the / moountpoint;

"Edit /etc/fstab. Mine looks like this (I added ,usrjquota=quota.user,,jqfmt=vfsv0 to the partition with the mount point /)"

and not to add the whole line or change the ID of the mountpoint.

From: Champs at: 2017-06-10 00:32:27

Followed the tutorial and everything worked a treat. Thank you so much.....

But, when I installed WordPress, I lost access to stats, phpmyadmin etc.

Can you advise me what file I need to edit to get access again.

From: Ray at: 2017-06-16 01:59:01

I am not receiving email from my yahoo or other email accounts.... I know that I can't send mail unless I use a relay, but is this also true for receiving? My DNS has an mx record @ pointing to the FQDN and an A record for the localhost.localdomain.tld set at @.

Third clean install with no success.

From: till at: 2017-06-16 06:54:20

Please post your support question in the forum and not the comments of the tutorial if you like to get help. That you don't receive email does not necessarily mean that there is a problem with the server setup, so it is likely that a reinstall will not fix it.

From: MikyTux at: 2017-07-09 16:33:47

Update Let's

/root/.local/share/letsencrypt/bin/letsencrypt -n renew

You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or using native OS packages.

How to fix it?Thanks

From: Leon G at: 2017-07-12 13:45:46

For some reason my browser says that the website is insecure, even though I enabled SSL for the installation and followed the steps with certbot. 

From: quaz22 at: 2017-09-26 23:01:06


After the upgrade debian 8.9

I had to install some other packages because otherwise received errors.(packets: dialog and libwww-perl)

I have problem with mailman and RKhunter.Problems with RKhunter solved but not with mailman - not working - not working - not working 1. cgi enabled 2. mailman runing 3. everything according to the tutorial. Something in these tutorials is wrong?

From: till at: 2017-09-27 06:31:05

Probably an issue with your upgrade. Mailman works fine here on a freshly installed system with this tutorial.

From: quaz22 at: 2017-09-27 19:02:50

I have no influence on the Debian version - Debian 8 Minimal

Freshly installed system plus upgrade = 8.9 and tutorial

The only thing I added was the dialog and libwww-perl packages

I also did not change sources.list

deb jessie main contrib non-free

deb jessie-updates main contrib non-free

deb jessie/updates main contrib non-free

Can it affect?

From: Mike at: 2017-10-31 22:36:21

I followed this process (but swapped out ISPConfig 3 for the current stable 3.1.7). After install, the control panel HTTPS is not secure with SSL (i.e. red in address bar). How can I overcome this?

From: ampsys56 at: 2018-02-25 20:56:32

Regarding the Metronome option stuff - You MUST have 'make' installed (apt-get -y install make) prior to running those steps or the build will fail.

From: pat at: 2018-02-28 21:25:40

first..thanks again for ispconfig etc.second; i have done 2 fresh installs following this tutorial in the last month. both times, when it comes to first log in on ispconfig dashboard..usr admin pass admin does not work to gain access to dashboard. i have to reset the admin password as described here least that has been my experience on 2 recent cut and paste installs.thanks again.