The Perfect Server - Debian 8.4 Jessie (Apache2, BIND, Dovecot, ISPConfig 3.1)

This tutorial shows how to prepare a Debian Jessie server (with Apache2, BIND, Dovecot) for the installation of ISPConfig 3.1, and how to install ISPConfig. The webhosting control panel ISPConfig 3 allows you to configure the following services through a web browser: Apache or nginx web server, Postfix mail server, Courier or Dovecot IMAP/POP3 server, MySQL, BIND or MyDNS nameserver, PureFTPd, SpamAssassin, ClamAV, and many more. This setup covers Apache (instead of nginx), BIND, and Dovecot (instead of Courier).

1 Preliminary Note

In this tutorial I will use the hostname with the IP address and the gateway These settings might differ for you, so you have to replace them where appropriate. Before proceeding further you need to have a minimal installation of Debian 8. This might be a Debian minimal image from your Hosting provider or you use the Minimal Debian Server tutorial to setup the base system.

What's new in this version of the tutorial?

  • Support for the new ISPConfig 3.1 features.
  • Support for Let's Encrypt SSL certificates.
  • Support for HHVM (HipHop Virtual Machine) to run PHP scripts.
  • Support for XMPP (Metronome).
  • Support for EMail Greylisting with Postgrey.
  • UFW as Firewall to replace Bastille.
  • RoundCube Webmail instead of Squirrelmail.

2 Install the SSH server (Optional)

If you did not install the OpenSSH server during the system installation, you can do it now:

apt-get install ssh openssh-server

From now on you can use an SSH client such as PuTTY and connect from your workstation to your Debian Jessie server and follow the remaining steps from this tutorial.

3 Install a shell text editor (Optional)

We will use nano text editor in this tutorial. Some useres prefer the classic vi editor, therefor we will install both editors here. The default vi program has some strange behavior on Debian and Ubuntu; to fix this, we install vim-nox:

apt-get install nano vim-nox

If vi is your favorite editor, then replace nano with vi in the following commands to edit files.

4 Configure the Hostname

The hostname of your server should be a subdomain like "". Do not use a domain name without subdomain part like "" as hostname as this will cause problems later with your mail setup. First you should check the hostname in /etc/hosts and change it when nescessary. The line should be: "IP Address - space - full hostname incl. domain - space - subdomain part". For our hostname, the file shall look like this:

nano /etc/hosts       localhost.localdomain   localhost     server1

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Then edit the /etc/hostname file:

nano /etc/hostname

It shall contain only the subdomain part, in our case:


Finally, reboot the server to apply the change:


Login again and check if the hostname is correct now with these commands:

hostname -f

The output shall be like this:

[email protected]:/tmp# hostname
[email protected]:/tmp# hostname -f


5 Update Your Debian Installation

First make sure that your /etc/apt/sources.list contains the jessie/updates repository (this makes sure you always get the newest security updates), and that the contrib and non-free repositories are enabled (some packages such as libapache2-mod-fastcgi are not in the main repository).

nano /etc/apt/sources.list

#deb cdrom:[Debian GNU/Linux 8.0.0 _Jessie_ - Official amd64 NETINST Binary-1 20150425-12:50]/ jessie main

deb jessie main contrib non-free
deb-src jessie main contrib non-free

deb jessie/updates main contrib non-free
deb-src jessie/updates main contrib non-free


apt-get update

To update the apt package database

apt-get upgrade

and to install the latest updates (if there are any).


6 Change the default Shell

/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore we do this:

dpkg-reconfigure dash

Use dash as the default system shell (/bin/sh)? <- no

If you don't do this, the ISPConfig installation will fail.


7 Synchronize the System Clock

It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the Internet. Simply run

apt-get install ntp ntpdate

and your system time will always be in sync.


8 Install Postfix, Dovecot, MySQL, phpMyAdmin, rkhunter, binutils

We can install Postfix, Dovecot, MySQL, rkhunter, and binutils with a single command:

apt-get install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd sudo

When you prefer MySQL over MariaDB, replace the packages "mariadb-client mariadb-server" in the above command with "mysql-client mysql-server".

You will be asked the following questions:

General type of mail configuration: <-- Internet Site
System mail name: <--
New password for the MariaDB "root" user: <-- yourrootsqlpassword
Repeat password for the MariaDB "root" user: <-- yourrootsqlpassword

To secure the MariaDB / MySQL installation and to disable the test database, run this command:


We dont have to change the MySQL root password as we just set a new one during installation. Answer the questions as follows:

Change the root password? [Y/n] <-- n
Remove anonymous users? [Y/n] <-- y
Disallow root login remotely? [Y/n] <-- y
Remove test database and access to it? [Y/n] <-- y
Reload privilege tables now? [Y/n] <-- y

Next, open the TLS/SSL and submission ports in Postfix:

nano /etc/postfix/

Uncomment the submission and smtps sections as follows and add lines where nescessary so that this section of the file looks exactly like the one below.

submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING [...]

Restart Postfix afterwards:

service postfix restart

We want MariaDB to listen on all interfaces, not just localhost, therefore, we edit /etc/mysql/my.cnf and comment out the line bind-address =

nano /etc/mysql/my.cnf

# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           =

Then we restart MySQL:

service mysql restart

Now check that networking is enabled. Run

netstat -tap | grep mysql

The output should look like this:

[email protected]:/# netstat -tap | grep mysql
tcp6 0 0 [::]:mysql [::]:* LISTEN 16806/mysqld


9 Install Amavisd-new, SpamAssassin, and Clamav

To install amavisd-new, SpamAssassin and ClamAV, we run

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl postgrey

The ISPConfig 3 setup uses amavisd which loads the SpamAssassin filter library internally, so we can stop SpamAssassin to free up some RAM:

service spamassassin stop
systemctl disable spamassassin

9.1 Install Metronome XMPP Server (optional)

This step installs the Metronome XMPP Server which provides a chat server that is compatible with the XMPP protocol. This step is optional, if you do not need a chat server, then you can skip this step. No other ISPConfig functions depend on this software.

Add the Prosody package repository in Debian.

echo "deb jessie main" > /etc/apt/sources.list.d/metronome.list
wget -O - | sudo apt-key add -

Update the package list:

apt-get update

and install the packages with apt.

apt-get install git lua5.1 liblua5.1-0-dev lua-filesystem libidn11-dev libssl-dev lua-zlib lua-expat lua-event lua-bitop lua-socket lua-sec luarocks luarocks

luarocks install lpc

Add a shell user for Metronome.

adduser --no-create-home --disabled-login --gecos 'Metronome' metronome

Download Metronome to the /opt directory and compile it.

cd /opt; git clone metronome
cd ./metronome; ./configure --ostype=debian --prefix=/usr
make install

Metronome has now be installed to /opt/metronome.

Share this page:

43 Comment(s)

Add comment


From: David at: 2016-04-29 22:07:09

Hi Folk, why do you install xcache? i would install zend opcache. 

From: sannom at: 2016-05-05 20:07:05

hello, I can't install hhvm "failed to fetch   Unable to find entry 'main/binary-armhf/Packages' in release file(wrong sources.list entry or malformed file)   some index files failes to dowload......ect

Could you help me fix this?

From: sannom at: 2016-05-05 21:07:12


i don't know if hhvm is necesary but it doesn't install, so i continue step 11 and 12 but now i have E:package 'libapache2-mod-fastcgi' has no installation candidate

could you help me fix it..

From: till at: 2016-05-15 09:18:12

Check your /etc(apt/sources.list file and ensure that all Debian repositories (main contrib non-free) are active as described in this tutorial.

From: BatteriesInc at: 2016-05-10 17:17:56

Small note: might be worth adding your excellent munin/monit tutorial to this setup, ISPC has support for it.

From: Tim at: 2016-05-10 17:23:13

I wen through this whole install and everything works except for roundcube.  When I try to login I get "Connection to storage server failed".  I have tried removing and reinstalling roundcube, also removed and readded user to ispconfig.  Please help

From: corpus at: 2016-05-14 04:43:24

Hello. HHVM is available only for 64bit

From: erama at: 2016-05-18 21:44:42

Thank you!You are genius. Always do you help me with the best tutorials.

From: Ritooon at: 2016-05-19 22:16:45

Hi ! 

First, thanks for the tutorial ! 

I have an error at the 14th step, when I try to modify fstab

I do it, then use the next command (mount -o remount /) and then the next (quotacheck -avugm), that give me an error : 

quotacheck: Cannot stat() mounted device /dev/root: Aucun fichier ou dossier de ce type

quotacheck: Cannot find filesystem to check or filesystem not mounted with quota option.


This is my file : 


# <file system> <mount point>   <type>  <options>       <dump>  <pass>

/dev/sda1       /       ext4    errors=remount-ro,relatime,discard,usrjquota=quota.user,,jqfmt=vfsv0       0       1

#/dev/sda1      /       ext4    errors=remount-ro,relatime,discard,usrjquota=quota.user,,jqfmt=vfsv0 0 1

/dev/sda2       /home   ext4    defaults,relatime,discard       1       2

/dev/sda3       swap    swap    defaults        0       0

proc            /proc   proc    defaults                0       0

sysfs           /sys    sysfs   defaults                0       0

tmpfs           /dev/shm        tmpfs   defaults        0       0

devpts          /dev/pts        devpts  defaults        0       0


Thanks for your help ! 

Cheers ! :)

From: uniQ at: 2016-05-24 13:21:48

Hi, does anyone here know how to sign my ISPConfig webinterface with letsencrypt? I tried to create a certificate manually but it returned with an error saying "Domain:

Type: unauthorized

Detail: Invalid response from


"<!DOCTYPE html>

<html lang="en-US" prefix="og: fb:">


<meta charset="UTF-8">"

From: uniQ at: 2016-05-25 07:09:22

Jesse Norell posted this in another thread, which actually works:[CODE]/root/.local/share/letsencrypt/bin/letsencrypt auth --text --agree-tos --authenticator webroot --server --rsa-key-size 4096 --email postmaster@`hostname -d` --domains `hostname -f` --webroot-path /usr/local/ispconfig/interface/acme

dt=`date '+%Y%m%d%H%M%S'`

cd /usr/local/ispconfig/interface/ssl/

for ext in csr key crt; do if [ -f ispserver.$ext ]; then mv ispserver.$ext ispserver.$ext.old.$dt; fi; done

ln -s /etc/letsencrypt/live/`hostname -f`/privkey.pem ispserver.key

ln -s /etc/letsencrypt/live/`hostname -f`/fullchain.pem ispserver.crt

service apache2 restart[CODE]

From: Keldan at: 2016-05-24 15:11:33

By default, fail2ban and IspConfig don't use UFW to ban/unban IP or create Firewall rules. This parameter can be change into Sytem Tab > Server Config for ISPC. But for fail2ban ? Directly into a .conf file ? Or IspConfig configure fail2ban automatically ?


From: till at: 2016-05-24 15:16:55

Fail2ban is active automatically and there is no additional configuration required then what is written in this tutorial.

From: mzips at: 2016-06-01 04:37:58

Pleas Update the Lets Encrypt part withe CertBot


From: webhunter at: 2016-06-03 20:35:14

Hm, installation completed but postfix throws an error:

"fatal: no SASL authentication mechanisms"

I followed the instructions step by step. ISPConfig is working fine.  But e-mails do not work..

Any suggestions?

Thank you!

From: NixXxon at: 2016-06-06 08:54:35


thank you for the great guide - worked fine on a virtual machine on my laptop BUT on my V-Server i get the following error:

Failed to read /proc/cmdline. Ignoring: No such file or directory

Failed to get D-Bus connection: Unknown error -1


I googled and read something about a bug in debian with sysvinit and upstart ( but I'm not really pro and not sure if that REALLY related to my problem.


I really hope you can help me out?!


Thanks in advance,


From: marcel at: 2016-06-07 09:45:56

On the PHP code is not being executed. It shows me the code insteadt. is working.


From: jrodgers at: 2016-06-09 20:52:40

The command apt-get install libapache2-mod-fastcgi php5-fpm won't run without adding contrib and non-free after main in the sources list. 

From: till at: 2016-06-10 06:46:42

Correct, and that's why step 5 of the tutorial how you how to do that.

From: Michael at: 2016-06-14 20:16:04

Lets Encrypt ist out of date can you Fix it that was very nice.

From: ralf at: 2016-06-22 23:55:16

Irgent etwas scheint bei der roundcube install nicht zu stimmen. Beim aufrufen nach der ispconfig 3.1 install kommt nur das:

/ // include environment require_once 'program/include/iniset.php'; ... etc gibt es da schon eine lösung?

From: ricardo sanchez at: 2016-07-17 17:51:13

Hi following this, It presents error in the receipt of email. since rouncube send email but not receive. and to verify the email address out error [[email protected] - Result: Bad] and this other [This is an Automatically generated Delivery Status NotificationTHIS IS A WARNING MESSAGE ONLY.YOU DO NOT NEED TO RESEND YOUR MESSAGE.Delivery to the following recipient has-been delayed:      [email protected] will be retried for 0 more day (s)Technical details of temporary failure:The recipient server did not accept our requests to connect. Learn more at[ socket error]]

From: ricardo sanchez at: 2016-07-19 22:27:17

Hi following this, It presents error in the receipt of email. since rouncube send email but not receive. and to verify the email address out error [[email protected] - Result: Bad] and this other [This is an Automatically generated Delivery Status NotificationTHIS IS A WARNING MESSAGE ONLY.YOU DO NOT NEED TO RESEND YOUR MESSAGE.Delivery to the following recipient has-been delayed:      [email protected] will be retried for 0 more day (s)Technical details of temporary failure:The recipient server did not accept our requests to connect. Learn more at[ socket error]]

Some solution to receive mail. Thank you

From: Shafeek at: 2016-07-20 09:48:33

For Roundcube to work with or, Need to add the following to /etc/apache2/conf-enabled/roundcube.conf  under <Directory /var/lib/roundcube/>

AddType application/x-httpd-php .php

Else it displays the php code directly as text instead of roundcube login page. 


From: Carlos Nogueira at: 2016-07-28 21:34:14

This is basic but missing dialog pakage in my server, install before 8....

From: ricardo sanchez at: 2016-07-31 16:21:44

Thanks, solved

The detail is here [...] nano /etc/postfix/

From: Ainer Roll at: 2016-08-17 17:21:06

Works fine but.... I tried to install the ISPConfig Roundcube plugin with tutorial "RoundCube webmail installation on Debian 8", but that does'nt work.  Can you please expand this tutorial ? Thanks


From: mike at: 2016-09-06 19:22:46

hey there! good tutorial.i've did all the steps in this tutorial but when i go in my /webmail (roundcube) i am unable to send mails. after that i went to this tutorial and created the roundcube remote user in ISP exactly as described.

A peak into phpadmin tells me the remote user 'roundcube' has the rights he needs. Naturally i created a new domain and mailbox in ISP3 under 'Email'.

Now if i go into /webmail and try to send an email roundcube keeps loading. no error.Kind regards!

From: Edgar at: 2016-09-09 00:44:01

Hi, I have a problem, if I send emails from the command line, it works, but, if sending mail from roundcube appears errror "SMTP Error (454): Could not establish recipient (4.7.1 Relay access denied)."

The postconf -n is:

alias_database = hash:/etc/aliases

alias_maps = hash:/etc/aliases

append_dot_mydomain = no

biff = no

config_directory = /etc/postfix

html_directory = /usr/share/doc/postfix/html

inet_interfaces = all

mailbox_command = procmail -a "$EXTENSION"

mailbox_size_limit = 0

mua_client_restrictions =

mydestination =,, , localhost

myhostname =

mynetworks = [::ffff:]/104 [::1]/128

myorigin = /etc/mailname

readme_directory = /usr/share/doc/postfix

recipient_delimiter = +

relayhost =

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)

smtpd_recipient_restrictions =

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem

smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

smtpd_use_tls = yes


Thank you very much for the help

From: MasterBotWeb at: 2016-10-17 07:39:39


In your configuration "inet_protocol" is missing, set is ipv4 and try again. Thank you.

From: computerwuffi at: 2016-09-19 18:20:44


I unfortunately installed the wrong version of jailkit. How can I update this? Can I now just repeat all the steps of this tutorial with the correct version or do I have to uninstall anything? If so, how do I do that?

Could you help me fix this?


From: Blake at: 2016-09-21 20:32:46

Hi, I have followed the guide exactly, but when I type in it takes me to a text page that starts with <?php

/* +-------------------------------------------------------------------------+ | Roundcube Webmail IMAP Client | | Version 1.1.5 | | | | Copyright (C) 2005-2015, The Roundcube Dev Team | | | | This program is free software: you can redistribute it and/or modify | | it under the terms of the GNU General Public License (with exceptions | | for skins & plugins) as published by the Free Software Foundation, | | either version 3 of the License, or (at your option) any later version.

From: Francesco at: 2016-09-27 13:37:07

hi, it's possibile install PHP 7 instead of 5?

it's recommended per ISPConfig?

From: till at: 2016-09-27 13:40:19

You can install PHP 7 as additional PHP version:

From: Androbot at: 2016-09-27 16:42:57

Hey, can i use Webmin instead of ISPConfig?

From: till at: 2016-09-27 16:53:47

You can use Webmin, but Webmin is just a visual config file editor and not a Hosting control panel and all the "glue" to use the services together is done by the ispconfig installer and the ispconfg panel, so using this setup without ispconfig makes not much sense as you have just a bunch of unconfigured services then.

From: Androbot at: 2016-09-28 06:08:32

Ah ok, Thank you i think i will take ISPConfig.

But what do you think about Nginx? Is it better than Apache?

From: Piotr at: 2016-09-29 11:10:40

I got SEC_ERROR_UNKNOWN_ISSUER for this ssl encryption of isp login site

From: till at: 2016-09-29 11:19:09

That's ok and not an error. It just means that you are using a self-signed SSL certificate.

From: Baptiste at: 2016-10-02 19:02:49

After selecting no on the let's encrypt screen, I got "Please specify --domains, or --installer that will help in domain names autodiscovery" and then back to command line [email protected]: /opt/certbot#Is that it or something's gone wrong?

From: Michal at: 2016-10-07 06:28:23



Thanks for this instructions.

I found issue with using RoundCube:

I have 2 customers with domain-1.tld and domain-2.tld

when i login to webmail [email protected] account and i add additional identity (email allies) [email protected] i can sent emails as someone else / from different domain.

Is ther way to block this and allow sending emails only from domains that are assigned in ISP to this domain / account?


As this looks like potential source of spam / phishing it will be superb to block this





From: till at: 2016-10-07 06:46:22

Sending an email with RoundCube requires a correctly authenticated email user, so there is no way that an external person can send spam or phising emails. Only your mail users can send an email.


Webmail and other local installed software on your server can send with any from address as it connects to localhost on your server and localhost is in mynetworks. If you don't want to be able to use different from addresses, then configure your webmail application to connect to the external server IP and to use the username and password of the user to authenticate itself to postfix plus enable in the ispconfig under system > server config > mail "Reject sender and login mismatch".

From: robi1kenobi at: 2016-10-25 19:08:41


When I type, I get apache default page. I tried changing port to 2083, same thing.

Please help, what to do?