The Perfect Server - Debian 8 Jessie (Apache2, BIND, Dovecot, ISPConfig 3)

This tutorial shows how to prepare a Debian Jessie server (with Apache2, BIND, Dovecot) for the installation of ISPConfig 3, and how to install ISPConfig 3. The webhosting control panel ISPConfig 3 allows you to configure the following services through a web browser: Apache or nginx web server, Postfix mail server, Courier or Dovecot IMAP/POP3 server, MySQL, BIND or MyDNS nameserver, PureFTPd, SpamAssassin, ClamAV, and many more. This setup covers Apache (instead of nginx), BIND (instead of MyDNS), and Dovecot (instead of Courier).

1 Preliminary Note

In this tutorial I will use the hostname with the IP address and the gateway These settings might differ for you, so you have to replace them where appropriate. Before proceeding further you need to have a minimal installation of Debian 8. This might be a Debian minimal image from your Hosting provider or you use the Minimal Debian Server Tutorial to setup the base system.

2 Install the SSH server (Optional)

If you did not install the OpenSSH server during the system installation, you can do it now:

apt-get install ssh openssh-server

From now on you can use an SSH client such as PuTTY and connect from your workstation to your Debian Jessie server and follow the remaining steps from this tutorial.

3 Install a shell text editor (Optional)

We will use nano text editor in this tutorial. Some useres prefer the classic vi editor, therefor we will install both editors here. The default vi program has some strange behaviour on Debian and Ubuntu; to fix this, we install vim-nox:

apt-get install nano vim-nox

If vi is your favorite editor, then replace nano with vi in the following commands to edit files.

4 Configure the Hostname

The hostname of your server should be a subdomain like "". Do not use a domain name without subdomain part like "" as hostname as this will cause problems later with your mail setup. First you should check the hostname in /etc/hosts and change it when nescessary. The line should be: "IP Address - space - full hostname incl. domain - space - subdomain part". For our hostname, the file shall look like this:

nano /etc/hosts       localhost.localdomain   localhost     server1

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Then edit the /etc/hostname file:

nano /etc/hostname

It shall contain only the subdomain part, in our case:


Finally reboot the server to apply the change:


Login again and check if the hostname is correct now with these commands:

hostname -f

The output shall be like this:

[email protected]:/tmp# hostname
[email protected]:/tmp# hostname -f


5 Update Your Debian Installation

First make sure that your /etc/apt/sources.list contains the jessie/updates repository (this makes sure you always get the newest security updates), and that the contrib and non-free repositories are enabled (some packages such as libapache2-mod-fastcgi are not in the main repository).

nano /etc/apt/sources.list

#deb cdrom:[Debian GNU/Linux 8.0.0 _Jessie_ - Official amd64 NETINST Binary-1 20150425-12:50]/ jessie main

deb jessie main contrib non-free
deb-src jessie main contrib non-free

deb jessie/updates main contrib non-free
deb-src jessie/updates main contrib non-free


apt-get update

To update the apt package database

apt-get upgrade

and to install the latest updates (if there are any).


6 Change The Default Shell

/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore we do this:

dpkg-reconfigure dash

Use dash as the default system shell (/bin/sh)? <- no

If you don't do this, the ISPConfig installation will fail.


7 Synchronize the System Clock

It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the Internet. Simply run

apt-get install ntp ntpdate

and your system time will always be in sync.


8 Install Postfix, Dovecot, MySQL, phpMyAdmin, rkhunter, binutils

We can install Postfix, Dovecot, MySQL, rkhunter, and binutils with a single command:

apt-get install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd sudo

When you prefer MySQL over MariaDB, replace the packages "mariadb-client mariadb-server" in the above command with "mysql-client mysql-server".

You will be asked the following questions:

General type of mail configuration: <-- Internet Site
System mail name: <--
New password for the MariaDB "root" user: <-- yourrootsqlpassword
Repeat password for the MariaDB "root" user: <-- yourrootsqlpassword

Next open the TLS/SSL and submission ports in Postfix:

nano /etc/postfix/

Uncomment the submission and smtps sections as follows and add lines where nescessary so that this section of the file looks exactly like the one below.

submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING [...]

Restart Postfix afterwards:

service postfix restart

We want MariaDB to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address =

nano /etc/mysql/my.cnf

# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           =

Then we restart MySQL:

service mysql restart

Now check that networking is enabled. Run

netstat -tap | grep mysql

The output should look like this:

[email protected]:/tmp# netstat -tap | grep mysql
tcp6 0 0 [::]:mysql [::]:* LISTEN 27371/mysqld


9 Install Amavisd-new, SpamAssassin And Clamav

To install amavisd-new, SpamAssassin and ClamAV, we run

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl

The ISPConfig 3 setup uses amavisd which loads the SpamAssassin filter library internally, so we can stop SpamAssassin to free up some RAM:

service spamassassin stop
systemctl disable spamassassin

Share this page:

172 Comment(s)

Add comment


From: Someone

What about using nginx ? postfixdmin ? Apache and ISPConfig 3 will use about 500+ MB of ram...

From: till

A tutorial for Nginx will be released the next days. Using postfixadmin for a web + mail + dns server makes no sense as postfixadmin can neiter manage the webserver nor dns nor does it use less RAM then ISPConfig. The 500 MB RAM is not used by ISPConfig, the RAM is used by the other installed services like postfix, clamav, amavis, apache, pure-ftpd, bind, etc. You will see the exact same RAM usage on any full hosting stack server with apache. The RAM usage with nginx is a bit lower but the Mail system uses still the same amount of RAM.

From: bch

There's a typo at the end of the sources.list

From: till

Thanks! Fixed it.

From: bch

You're welcome. Love to help.Still, apt-get update from the next section has jumped up on the sources.list

From: omolinete

Hello,First of all, thank you very much for all your guides.I have 2 questions regarding this new one:1. Will it suffer any modification or it is a final version that has been really tested on Debian 8 "Jessie"? I mean if it has all the necessary for having almost the same installation as the Wheezy's guide (I know they are some packages that are no longer present in the jessie's repositories).2. On the other hand, and relating to the Roundcube's package which is not present yet in the Debian Jessie's official repository but it is on the Wheezy's one, the guide located at will differ very much if I use the original Roundcube's tarball instead?Sorry for my bad english language. It's no my mother tongue.Thanks again!

From: till

The guide has been written on Debian Jessie, so there are no modfications to be expected.

From: Lars

Thanks! Will this also work to update from wheezy to jessie?

From: till

This is a tutorial for a new installation and not a update procedure. It contains also the info that you might need to reconfigure your server after an update, but it is not explicitely made for that. We will release a tutorial with the update procedure when Debian Jessie is a bit more mature. If you run a production server, then you should not consider an update to a new Linux dist release so soon after the initial release, it is better to wait a few months so that the current bugs in the debian packages got fixed if you dont want to break your server.

From: Lars

Okay, Thanks. Ill wait a few months! Btw, thanks for all the tutorials, I use them a lot!

From: beyerservice

why is it in this guide:

[email protected]:/tmp# [email protected]:/tmp# hostname

in all other (old) guides all hostame should be


what changed?

From: till

A bug in amavis which required the hostname to be always the full fqdn has finally be fixed.

From: Gordon


Two things, is there going to an update config using apache2.2 or later, and the fail2ban local jails are limited, we've seen persistent hacking attempts to servers we’ve used the ISP config on, having to use IPset instead, as the ban times aren’t enough


From: till

The tutorial above is for a fresh installation with apache 2.4. If you have a wheezy install that you updated to jessie, then run a ispconfig update with "reconfigure services" to update the config files for debian jessie, then login to ispconfig, go to tools > resync and resync the websites. This will update the vhost config files for all sites to apache 2.4 config as well.

From: Gordon Fielden

There is a further issue i've notice, in the  "/etc/postfix/" you mention removing the # from line in the file  but one of them isn't on the master cf i'm editing -o smtpd_client_restrictions=permit_sasl_authenticated,reject where as it use to be in the wheezy version, do i add this line as well to the file, id so it doesn't say that in the totorial below is the default.


#submission inet n       -       -       -       -       smtpd#  -o syslog_name=postfix/submission#  -o smtpd_tls_security_level=encrypt#  -o smtpd_sasl_auth_enable=yes#  -o smtpd_reject_unlisted_recipient=no#  -o smtpd_client_restrictions=$mua_client_restrictions#  -o smtpd_helo_restrictions=$mua_helo_restrictions#  -o smtpd_sender_restrictions=$mua_sender_restrictions#  -o smtpd_recipient_restrictions=#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject#  -o milter_macro_daemon_name=ORIGINATING#smtps     inet  n       -       -       -       -       smtpd#  -o syslog_name=postfix/smtps#  -o smtpd_tls_wrappermode=yes#  -o smtpd_sasl_auth_enable=yes#  -o smtpd_reject_unlisted_recipient=no#  -o smtpd_client_restrictions=$mua_client_restrictions#  -o smtpd_helo_restrictions=$mua_helo_restrictions#  -o smtpd_sender_restrictions=$mua_sender_restrictions#  -o smtpd_recipient_restrictions=#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject#  -o milter_macro_daemon_name=ORIGINATING

From: till

Change this section of the so that it is exactly like the one from this tutorial. This tutorial is for Debian Jessie only, not Wheezy!

From: greypanda

I had to add deb jessie main non-free to sources.list to get libapache2-fastcgi.

From: till

This repo (just the us version of it) is listed in the tutorial already.

From: Rogue

Hello, installing (Apache 2, PHP 5, phpMyAdmin, FCGI, suexec, Pear, And mcrypt), it asks me that question 2 (Web server to reconfigure automatically: <- apache2

Configure database for phpmyadmin with dbconfig-common? <- No) but he does not ask me the rest .. (Enter the password of the administrative user <- yourrootmysqlpassword

Enter the password phpmyadmin application? <- Just press enter) this is serious? I'm french so sorry for my english .. Thanks in advance. :)

From: ricli

Little mistake :

Configure database for phpmyadmin with dbconfig-common? <- no  

Type Yes instead

From: ricli

problem : libapache2-mod-fastcgi do not exists in jessie repo

From: till

This paclage exists in jessie repo. I guess you missed to configure the eban repos as described in the tutorial, you have to add contrib and non-free repo.

From: ricli

mkdir /var/lib/squirrelmail/tmp is written twice

From: Ed



I'm wondering why you have apache2.2-common in these instructions. Is it always included for 2.4?

Do you have apache2.2-common in these instructions so that people can still access their websites including the ISPConfig 3 login, if they use these instuction to perform an upgrade from wheezy, so that they can do the resync operation? If this is the case, can it safely be removed after performing the resync operation?


Thanks for this guide.

From: newtesla

Kudos for finally using nano instead of vi :)

Also: please drop using ntpdate - since it is obsolete since 2010, and also can create huge problems when installed into VZ.

From: nanoLOL

Kudo for using nano instead of vi?? 

From: MagicallyVIliscious

Nano, really?  ROFL

From: 3lij4h

I have used the "The Perfect Server - Debian 7" guide and still running it.

How would it be best to upgrade from Debian 7 to 8? and how would that affect my configuration?

Thank you,

From: mattheoh


At the Step for FTP / Quota installation.

The FSTab file is empty and contains only : # UNCONFIGURED FSTAB FOR BASE SYSTEM

Did I miss something ?

From: till

Seems as if you have a openvz / virtuozzo based virtual machine that dont have a filesystem configuration in fstab. You can skip that step in this case and ask your ISP to turn on Filesystem quotas for your VM as thats configured on the host server in the virtual machine config file.

From: mattheoh

thanks a lot for the fast answer !

From: mattheoh

Thanks a lot for the fast answer. That's exactly that. Indeed, I m on a virtual machine !

From: mattheoh

I m sorry, but I have a last question.

I can't access to phpmyadmin at this URL (not found) - same thing with http.

I tried to create a symbolic link : 

– cd /etc/apache2/conf.d (I created a conf.d folder cause it didn't exist)– ln -s /etc/phpmyadmin/apache.conf phpmyadmin

but it doesn't work... someone would have an idea ?

From: till

This happens when "apache" was not selected in the apt installation dialog during phpmyadmin installation. You can rerun this dialog with:

dpkg-reconfigure phpmyadmin

From: mattheoh

You're the man ! I effectly forgot to click on Apache selection during the installation process (though it was already selected) !

Thanks a lot !

From: Attila Kotan

Perfect tutorial!

Special thanks!

From: pilgrims

Ist noch jemand hierauf gestossen?  Was habe ich übersehen?


apt-get install libapache2-mod-fastcgi php5-fpmPaketlisten werden gelesen... FertigAbhängigkeitsbaum wird aufgebaut.Statusinformationen werden eingelesen.... FertigPackage libapache2-mod-fastcgi is not available, but is referred to by another package.This may mean that the package is missing, has been obsoleted, oris only available from another sourceE: Package 'libapache2-mod-fastcgi' has no installation candidate

From: till

You have an error in our /etc/apt/sources.list file. Check that contrib and non-free repositorys are activated, then run apt-get update and then the command to install mod-fastcgi again.

From: Sabin

Hello, I have a problem with sending and forwarding email with attachment from squirrelmail. When I try to attach a file no matter how small, squirrel says "ERROR:Could not move/copy file. File not attached ". If I try to forward from squirrelmail a mail with attachments, size of all attached files is 0. From outlook and thunderbird I have no problem with attachments. Thanks!

From: Ilko

Hello, I love ISPconfig. Thank you for all the guides, everything works perfect after installation, just the attachments in squirellmail are not. I tried everything to fix it (PHP settings, chmod for /var/spool/squirrelmail/attach, without any success), until I found this thread and applied the same solution:

From: Jens

filter   = pureftpd

--> sollte pure-ftpd heißen!?

From: till

The line "filter   = pureftpd" is correct here as thats the name of the file "pureftpd.conf" that we add in the next step. If you prefer to add a - in the name, then dont forget to alter it in all places wher it occurs in the fail2ban config.

From: Sergey

How so this means the server is connected by FTP, with the rights to the root directory Root Root?

From: till

The root user has never access by FTP. When you want to upload a file as root user, then use SCP/SFTP as thats a SSH protocol. When the server setup is finished, then you can create FTP users for the websites that you host on that server from within ISPConfig.

From: Sergey

How and where to change the path to / phpmyadmin

From: till

Why do you want to change a path in phpmyadmin? PHPMyAdmin works out of the box when you follow this tutorial, just ensure that you selected to configure PHPMyAdmin for apache in the apt install dialog during installation.

From: Sergey

Can I install the set in this assembly ionCube.

From: Wally

Thank you very much, this is a first very perfect manual, that give the actually info step by step on the newest Debian release. I has no one error all the way, it is amazing!!!I have only one question. Can you may be make addition to it, for people, who use other partitions for the data? As example, I have a two 2TB HDDs in RAID1, small part (~30GB) I use for the system, also " / ", and the most volume is mounted at " /server ", can you maybe make a small manual, what folders I need to create on this "data partition", what services I must stopping before copying data, the right commands for copy and hardlink, and then start anything again back? Is it possible?

From: till

Hi, please see here for instructions to relocate the website and email data to a different partition:

From: Falgn0n

'libapache2-mod-fastcgi' has no installation candidate ... ??


From: till

You missed to enable the Debian contrib repository. Check your /etc/apt/sources.list and compare it with the one from this tutorial.

From: dwtj01

Thanks as usual for the great tutorials. Any idea when this one will be available via pdf or is the link just broken?

From: till

I just teted the download link for the PDF version and it works for me. If you have issues with downloading the PDF version, please contact us Please include any error message sthat you might get.

From: Michael

I am trying to set up Debian Jesssie x64 using your instructions. After steps 10 and 11 I get:


Job for apache2.service failed. See 'systemctl status apache2.service' and 'journalctl -xn' for details.


"service apache2 restart" seems to not work for me. Any ideas?


From: till

Take a look at the apache error.log

From: Reef

Thank you very much for taking the time to provide this.  It was invaluable for a newbie like me to both Linux and your product. Regards... :)

From: GaryS

Errors were encountered while processing: amavisd-newE: Sub-process /usr/bin/dpkg returned an error code (1)

today ?

From: GiMan

I solved this by fixing Amavis FQDN settings:

[email protected]# /etc/init.d/amavis restart

[email protected]# systemctl status amavis.service

Set manually $myhostname for amavis :

[email protected]# vi /etc/amavis/conf.d/05-node_id

[email protected]# /etc/init.d/amavis restart

[email protected]# apt-get update

[email protected]# apt-get upgrade


Setting up amavisd-new (1:2.10.1-1) ...

Creating/updating amavis user account...



From: Jonathan

Please provide some clarity,

In your guide you aske to create "/etc/fail2ban/filter.d/pureftpd.conf", however /etc/fail2ban/filter.d/pure-ftpd.conf already exists with the following...

[INCLUDES]before = common.conf[Definition]_daemon = pure-ftpd# Error message specified in multiple languages__errmsg = (?:????\[.*\]???????|?????\[.*\]??????|\[.*\] kullan?c?s? i?in giri? hatal?|??????????? ?? ??????? ???????????? \[.*\]|Godkjennelse mislyktes for \[.*\]|Beh?righ$failregex = ^%(__prefix_line)s\(.+?@<HOST>\) \[WARNING\] %(__errmsg)s\s*$ignoreregex =So which file will be called correctly, the newly created file as per your guid or the existing one?

Thank you

From: Sergey

how to install ioncube loader?

From: till

Just follow the instructions from ioncube: There is nothing specific to the above setup in installing ioncube.

From: Sergey

I installed the cd / usr / local / src wget

trying to unzip command tar -xvf ioncube_loaders_lin_x86-64.tar.gz

tar: ioncube_loaders_lin_x86-64.tar.gz: The open ended with error: No such file or directory tar: Error is not recoverable: exiting now

From: Iztok

Hi! I have problem with PureFTPd. FileZilla can not connect to server over TLS. Only unsecure connection works.

From FileZilla:

Status:    Connecting to    Connection established, waiting for welcome message...Status:    Initializing TLS...Error:    Could not connect to serverStatus:    Waiting to retry...Status:    Connecting to    Connection established, waiting for welcome message...Response:    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------Response:    220-You are user number 4 of 50 allowed.Response:    220-Local time is now 14:02. Server port: 21.Response:    220-This is a private system - No anonymous loginResponse:    220-IPv6 connections are also welcome on this server.Response:    220 You will be disconnected after 15 minutes of inactivity.Command:    AUTH TLSResponse:    234 AUTH TLS OK.Status:    Initializing TLS...Error:    Could not connect to server

From: till

Thats a problem with the passive port range. Define a passive port range in pure-ftpd and then open the same port range in your firewall.

From: John Boudouris

Hello, great guide. I was too fast with copy paste and I installed suPHP when I didn't really want it and I think it's causing me some problems. What's the way to reverse that installation?

From: till


a2dismod suphpservice apache2 restart

From: Aurelian

Hello guys, 

i`m trying to setup one server with pure-ftpd with tls and it seems that i`m getting a error that i cannot find a fix for it . 


[INFO] New connection from 

[INFO] SSL/TLS: Enabled TLSv1/SSLv3 with AES256-GCM-SHA384, 256 secret bits cipher

[WARNING] Authentication failed for user []

[INFO] Logout.

[INFO] New connection from


[INFO] Logout.

any help please . 

From: Rob V.

There are the users root and administrator. Squirrelmail does not accept root. But administrator gives a permission problem. May be solved by running (Terminal):

touch /var/mail/administratorchown administrator:mail /var/mail/administratorchmod o-r /var/mail/administratorchmod g+rw /var/mail/administrator

Something seems to be missing from the instructions. Or else, if I did something wrong, I'd like to know what it is.

From: till

You mix up system users and email accounts here. Email users exist nly in the mysql database as this is a virtual user setup. The direcrory /var/mail is not by this setup. If you want to redirect emails of a system user to a mailbox, then add a alias line for it in /etc/aliases and run the newaliases command afterwards.

From: Rob V.

There are the users root and administrator. My ftp client (Yummy) tells me the sites directories have root as owner. Since I can only login as administrator, I cannot upload local files to var/www, for example. How do set root access for my site?(This problem did not exist with Wheezy, because this distribution allowed root to access the site.)

From: till

You mix up ftp users (which are virtual users and you create them in ispconfig) with the system user login for the server maintenance. To upload files into a website, create an FTP user in ispconfig for that website, then enter this ftp username and password in your ftp client. You have then full access to this website by FTP and can upload files into the "web" folder, the owner of the files is correct by default.

From: Rob V.

I understand what you are saying. Still, I'd like to be able to edit files for server maintenance in TextWrangler instead of vi through Terminal. Wheezy lets me do that as root, Jessie doesn't allow root to login through FTP and administrator is not the owner of the server (root is the owner). How do I adapt this for the ftp client? In other words, how can administrator upload and change files via FTP if root is the owner? 

From: till

Just edit the file /etc/sshd/sshd_config and allow ssh logins for the root user and restart the ssh daemon. Then you can login as root with SFTP.

From: Rob V.

Thanks till. Inside /etc/ssh/sshd_config I changed PermitRootLogin without-password to PermitRootLogin yes and ran service ssh restart. That did it: the root user can now log into my FTP client (sftp) and upload or edit files. But I'd rather be able to login with user administrator (possible) and have administrator edit and upload files (impossible: permission denied). I've been searching for hours but can't find simple instructions on how to do that. So my question is: can it be done (it used to be possible with earlier Debian distros) and if yes, how? 

From: Rob V.

When Jessie (minimal setup) is booting, this is run on the screen:[FAILED] Failed to start Check And Enable File System Quotas.[   3.604446][227]: quotacheck: Quota for users is enabled on mountpoint / so quotacheck might damage the file.See 'systemctl status quota.service' for details.[   3.613648][227]: Please turn quotas off or use -f to force checking.

I haven't a clou if this is wrong and what to do if it is. Info is welcome. 

From: till

Thats ok and can be ignored. There is a bug in Debian which throws this error while the quota system is working as it tries to check a already working and mounted quota system.

From: Hjarne

If you get errors regarding php and mysql versions not working together properly try installing php5-mysqlnd instead of php5-mysql

From: Kai

In Part 8:

I don't see any reason why you should open your database too the public with:

We want MariaDB to listen on all interfaces, not just localhost, [...]

as it seems as a good practice to me to keep as many services as possible only accessible from localhost and using an SSH-Tunnel or VPN to access them.

Maybe I just don't see the reason, so an explanation would be cool.

Kudos for using MariaDB! It should be considered to use the repo from MariaDB (instructions here: )

to stay up-to-date with the database-releases.

Same for HHVM, which is completely missing here (but has a huge impact on performance) but is mentioned in some ISPconfig-Forum-Posts and seems to be in latest released code of ISPconfig?

It would be nice to explain how to use official certificates for Mail/SFTP to replace the self-signed ones.

Anyway, thank you for this great tutorial and the work you did!!!

From: till

If a database is accessible from outside or not is controlled by the database settings in ISPConfig. The database server itself has to listen on the external interface, otherwise the settings on a per database basis in ISPConfig will not work. There are plenty of external MySQL database modeling and backup tools available that run on your desktop, so it makes sense to have an option that allows a user to access his database from an external IP and this option is only available when the database server itself is bound to the external IP too.

Regarding HHVM: HHVM will be supported in the next release (3.1), it is not supported in the current release ( It makes no sense to install HHVM in a tutorial for the current ISPConfig release when it does not support HHVM yet as it will just use memory without being useful.


Regarding SSL certs:

From: Jesse Norell

Should ensure the aptitude program is installed around step 5, or ispconfig's System > Do OS-Update won't work.

From: Julian

"apt-get install dialog" if debconf can't find a dialog program...

debconf: No usable dialog-like program is installed, so the dialog based frontend cannot be used.

From: Julian

"apt-get install libwww-perl" is required for rkhunter.

From: Ganesan


Thank you very much for the useful tutorial.  I followed the steps (blindly) and setup my mail server for our school and it is working now.

There is one problem:

I can send emails.  But can't receive emails.

I try to send email from my personal gmail to one of the emails on this new mailserver a/c then I received the following error message.

Delivery to the following recipient failed permanently:      [email protected] Technical details of permanent failure: Google tried to deliver your message, but it was rejected by the server for the recipient domain by []. The error that the other server returned was: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown in virtual mailbox table.


Kindly help on this.


Thank you.

From: till

Please make a post that contains the error messages from the mail.log file in the howtoforge forum.

From: Ganesan


The problem solved.  (Silly mistake: typo error in the email address).

Thank you.

From: Benoit LANDRIEU

Hello very good tuto but the admin/admin log on squirremail doesn't work...

From: till

admin:admin is the login for ISPConfig and not Squirrelmail. The squirrelmail login are the login details (email address and password) of an email account that you created in ISPConfig.

From: Ed



I set this up workign, and then decided to remove the email server, since I'm on a vps with only a limited amount of RAM and clamAV and email was using too much resources. I kept iptables and fail2ban, of course, and removed the files created for pop3 and imap, and I removed all postfix and dovecot packages. I would liek to know your recommendations:

1) Can I also safely remove getmail4?


2) I am getting many mails which are being defferred in the logs and queue like this:

server1 sm-mta[8458]: t8BMK1sL005375: to=<[email protected]>, ctladdr=<[email protected]> (0/0), delay=04:57:07, xdelay=00:00:00, mailer=esmtp, pri=2820466,, dsn=4.0.0, stat=Deferred: Connection refused by


What can I do about this - how to not have mails in the queue? I guess some native mail functions like sendmail are necessary,so I own't touch that.

In the system log I get:

server1 CRON[1890]: (getmail) CMD (/usr/local/bin/ > /dev/null 2>> /dev/null)


so getmail4 is running - can I safely remove it, or is it necessary?


Thanks for helping with this - it might be a common problem - how to remove the email server and keep the rest for vps's with 1 gig or less. Thank you.


From: Ganesan


My email server is working fine.  I have one problem.  When I configure one of or staff email on apple email client, it works fine for a while after that suddently stop receiving emails. I think this is due to the secure certificate problem.  Kindly advise whether I can purchase and install the SSL Certificate and how.

Thank you. 

From: Eric Snyder

Perfect!!! Worked first time!

From: Mendim

I have problems on point 12.2

 Package libapache2-mod-fastcgi is not available, but is referred to by another package.

This may mean that the package is missing, has been obsoleted, or is only available from another source E: Package 'libapache2-mod-fastcgi' has no installation candidate

From: till

Please check the /etc/apt/sources.list file of your server and ensure that it is like the one in step 5 of the tutorial, then run apt-get update and install the package.

From: Ganesan

I have followed the guide exactly.  Now my email server working fine.  Thank you.

For some reason, I want to change my host name of the server.  Please guide me what are the places should I need to change.


From: gregory121

Does anybody know how to enable POSTFIX notifications when email's domain (IP) received by the server is on the RBL list? I am wondering how to be notified by the email, when the email that was sent to my server was rejected because sender is on the spam list.

At the moment the only thing is to grep through log files, or wait for logwatch once per day.

From: Nico


Thanks for the tuto.


I've got a big problem... when i try apt-get install amavisd-new, i've got this :


Creating/updating amavis user account... Job for amavis.service failed. See 'systemctl status amavis.service' and 'journalctl -xn' for details. invoke-rc.d: initscript amavis, action "start" failed. dpkg: error processing package amavisd-new (--configure): subprocess installed post-installation script returned error exit status 1 Errors were encountered while processing:E: Sub-process /usr/bin/dpkg returned an error code (1)


If the following is not done, you cannot delete e-mail received in squirrelmail. Perhaps there is a more elegant solution, but this works. 10-mail.conf must be modified to set mail_privileged_group = mail

From: ikvat

echo "yes" > /etc/pure-ftpd/conf/ChrootEveryone

From: Someone

Thank you for the tutorial, but where is the tutorial with nginx instead of apache? I can't find it.@

From: till at: 2015-04-28 11:23:26.

From: Someone

I have a issue at the step "8 Install Postfix, Dovecot, MySQL [...])My sources are correct and MariaDB is installed, but this not happens:"You will be asked the following questions:General type of mail configuration: <-- Internet SiteSystem mail name: <-- etc."I think this questions should only prompt when I install MySQL instead of MariaDB, but I'm not 100% sure?Plase answer. Thank you.

From: brody

Will this install php5.5 and apahce 2.4 ?

From: till

It will install the current apache and PHP version from Debian 8. You can find the exact version numbers of all packages that Debian provides in the Debian package database:

From: khedman

Debian 8 doesnt have libapache2-mod-fastcgi neither fastcgi apache2 mod ?

From: till

This package exists in Debian 8. You missed to enable the contrib repository in your /etc/apt/sources.list file, see chapter 5 of this tutorial how the sources.list has to be.

From: Tom Foley

Wonderful tutorial. Many thanks!

From: Kerim

is already for nginx a tutorial available ?

From: Florian

I've got a problem with the FTP connection.

Short:In the intranet I can connect but if I try to connect from a remote position it tells me error 530 and "Critical Error:..."


Could somebody help me?

From: Louis

I've got a strange problem. :-( When I change "localhost.localdomain   localhost" to "    test" is that still the same after a reboot. So it looks like this: "    localhost.localdomain   localhost" instead of "    test". Is that normal?

From: Net-gear-KP

:~# nano /etc/fstab

# / was on /dev/sda2 during installation


UUID=xxxxxxxxxxxxxxxxxxxxxxxxxxx /               ext4    errors=remount-ro,usrjquota=quota.user,,jqfmt=vfsv 0       1

:~# mount -o remount /

mount: / not mounted or bad option .... In some cases useful info is found in syslog - try ... dmesg | tail or so.



From: harsh

The description indicates that MySQL will be installed but it installs MariaDB instead.  Was this intentional?

Can I substitute MySQL in step 8?

From: till

I quote from thr tutorial "When you prefer MySQL over MariaDB, replace the packages "mariadb-client mariadb-server" in the above command with "mysql-client mysql-server"."

From: Oscar


great tutorial, thanks a lot.

Only find a problem, when I tried to access to ispconfig page, shows default apache index.

Any idea?


From: till

Ensure that oyu really use port 8080 and not port 80 or 443 to access ISPConfig.

From: snowman


Thanks for your excellent tutorial.

I have a question - as in this configuration set up port imap. I want to secure 993. Me works only 143. Thanks a lot.

From: till

Yes, IMAP and IMAPS are both configured automatically by the ISPConfig installer.

From: George Wood

The only stumbling block I encountered was installing the fastcgi module as I'm running on an arm processor and there are no packages available in the repositories.

I was able to wget a deb package and manually install it.


Otherwise, it's a big thumbs up :-)

From: DiegoV

Very good work, perfectly functional. Congrats and thank you!

From: SvenSenkpiel

Super Anleitung, alle die ein Problem mit den Umlauten bei der mariadb haben (Daten in db UTF-8, Charset in HTML UTF-8) dann wird der der charset im connect bei mysql nicht auf utf8 stehen.

Einfach in der /etc/mysql/conf.d/mariadb.cnf den defaultzugriff ändern, denn der steht auf Latin1. Oder die php Anwendungen so anpassen, dass bei jedem mysql connect  utf8 gesendet wird!

# MariaDB-specific config file.

# Read by /etc/mysql/my.cnf



# Default is Latin1, if you need UTF-8 set this (also in server section)

default-character-set = utf8




# * Character sets


# Default is Latin1, if you need UTF-8 set all this (also in client section)


character-set-server  = utf8

collation-server      = utf8_general_ci

character_set_server   = utf8

collation_server       = utf8_general_ci

init-connect='SET NAMES utf8'






From: thibotus01

 After editing /etc/clamav/clamd.conf

Clamav must be restarded. Maybe you should add it.

service clamav-daemon restart

From: Jinendra

Very nice tutorial.

Few Questions

1. I am able to sent emails but not receiving emails, what can be issue?

2. PHP script not able to send email using script, what can be done here?


From: bruno

I move a site from debian 7 to debian 8 with ispconfig 3 for both.

I change order of LogFormat parameters %o in /etc/apache2/apache2.conf and I have no change with apache 2.4 after restarting apache.

Do you know why ?


From: bruno377

I modify this command (i added %O in front of the text)

LogFormat "%O %a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\""     combined

in /etc/apache2/apache2.conf and i don't see any change in the access.log of my vhost

Do you have any idea ?

It works for the other_vhosts_access.log !


From: till

You modified the config for the global apache access.log, not the one for the websites. The website access.log configuration is in the apache ispconfig.conf file.

From: bruno

I have an access.log for each vhost but any change i do in the LogFormat in apache2.conf doesn't change the format of this access.log. Where should I put the CustomLog associated with the vhost access.log ? I use Ispconfig.

From: till

The website access.log configuration is in the apache ispconfig.conf file and not in apache2.conf file.

From: Guido

I did it complete but get the following exeption while installing ISPConfig asself:

Full qualified hostname (FQDN) of the server, eg server1.domain.tld  []:

No PHP MySQL functions available. Please ensure that the PHP MySQL module is [email protected]:/tmp/ispconfig3_install/install#

But there should be mysql module loaded.

From: till

The MySQL extension is not there. Install the php5-mysql module again:


apt-get install --reinstall php5-mysql

From: Matt

Step 13 uses the "vi" command insted of "nano".

vi /etc/aliases

From: Matt

On a Linode VPS, you need to add a simlink to /dev/root in order for quotas to work.

ln -s /dev/xvda /dev/root

From: Jimbik

how to install additional php-5.4.43 (PHP-FPM & FastCGI)?

From: ray

My domain names are parked at godaddy pointing to the server, all mail records on godaddy are pointed to the server.

my squirrelmail works great locally, but It cannot send mail to remote mailbox ie [email protected] //

I emptied all pertinent log files and tried to send an email from SM on another machine w/ attachment.

 mail from sent to Squirrelmail boxes complain recipient not found

outbound mail from Squirrelmail never arrives at outlook,yahoo,gmail.etc

No errors reside in the logs mail log, mail warn log or mail error log, systemlog and all mailman logs remain blank.

The mails appear in the queue complaining of connection time out.

I assume something is not set up correctly outside of the mail server

From: Jm

Provider Server4you

After installation: 550 5.1.1 <>: Recipient address rejected:

changed in the MySQL in /etc/postfix

comment out:

#default_transport = error#relay_transport = error

After thats postfix runs well again.


From: tecra

hi there and thanks for awesome tutorial which worked 100%!  so im confused on how my server can reached outside of my lan. currently it can only be seen from itself and im unaware what needs to be changed. any advice would be helpful

From: hatted

I can install MySQL 5.5 and PHP 5.6 in Debian 8.2 with ispconfig successfully.   but now I installed MySQL 5.7 by following the and PHP 7.   When I install the ispconfig in the last step without any errors, but I found it only install 5 tables in the db.  Is it working with MySQL 5.5 only, but not working with MySQL 5.7?   aps_instances aps_instances_settings aps_packages aps_settings attempts_login     ############### ## mysql step # wget # dpkg -i mysql-apt-config_0.6.0-1_all.deb #### select install all MySQL tools and utilities   # apt-get update # apt-get install mysql-server # service mysql status ? mysql.service - MySQL Community Server    Loaded: loaded (/lib/systemd/system/mysql.service; enabled)    Active: active (running) since Fri 2016-02-26 12:50:38 HKT; 8s ago Main PID: 1809 (mysqld_safe)    CGroup: /system.slice/mysql.service            ??1809 /bin/sh /usr/bin/mysqld_safe            ??2064 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --log-error=/var/...   Feb 26 12:50:36 mysqld_safe[1809]: 2016-02-26T04:50:36.901795Z mysqld_safe Logging to '/var/log/mys...log'.   Feb 26 12:50:36 mysqld_safe[1809]: 2016-02-26T04:50:36.986701Z mysqld_safe Starting mysqld daemon w...mysql     #### check mysql version # mysql -uroot -p --version mysql  Ver 14.14 Distrib 5.7.11, for Linux (x86_64) using  EditLine wrapper

From: Mike M.

If you use the /var/log/mail.warn instead of the /var/log/mail.log for the postfix-sasl jail, make sure the /etc/fail2ban/filter.d/postfix-sasl.conf failregex line does not care about case for the word "LOGIN", or you will miss banning a lot of breakin attempts. It is written both "LOGIN" and "Login" in the mail.warn log. Here is the line to use:

failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/:]*={0,2})?\s*$

From: xtz

Great job , thx a lot !!!

From: lolbrin


can you tell me if is this required in 1 server environment?

We want MariaDB to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address =

or i can leave it on localhost?

From: lolbrin


can you tell me if uncomment mariadb bind-address = required in 1 server environment? or i can allow only connection from localhost?

From: till

If a database is accessible from outside is managed in ispconfig, but this makes it nescessary that you comment out that line so that MariaDB listens on all interfaces. If you do not want to be able to configure remote access to databases in ISPConfig, then you can leave this at localhost.

From: Erik

Is there a way to change the hostname after the server is setup? In step #4  at the beginning of this tutorial... Where is set, I put in a domain name I own in the part of the hostname. I had planned on putting this website on the server but It seems to conflict since the hostname is the same as the domain name. I could just start over from scratch, but would rather not if there's an easier way to do this. Thanks in advance. 

From: Any package of IspConfig block multiple http requests???

Hi, I installed ISP3 in some servers with Debian 8.1. Everything runs right, but I can't do security scans (with nessus o Qualys Scan) of these IP's because the system blocking http requests (when the scan try much url). I stopped Fail2ban and the problem is persisting. Any idea?Regards.

From: till

There is no such software in a default ispconfig install. But maybe you installed an apache module like mod_evasive which is made to block multiple requests?

From: Miquel Casanovas

No, I did basic installation. I installed the ISP3 using this howto.

From: wk

Hi Till, is it possible to use ISPConfig with Apache mpm event -> apache2-mpm-event ?

What is then the correct installation syntax under Step 10 ?

apt-get install apache2 apache2.2-common apache2-doc apache2-mpm-event .... ?

Will the ISPConfig check this and then do not offer mod_php later under website settings?

Are there any other restrictions if using mpm event ?

Thanks for an answer.

From: DDArt

This is in response to our issue and another person here.  I noticed that in this tutorial mailutils or mailx wasn't installed.  Coming from UBuntu Tutorial to Debian 8, our PHP Script ( phpmail ) not sending out, esp. in CMS/Drupal or Wordpress.

This didn't work for us:

echo "body of your email" | mail -s "This is a Subject" -a "From: [email protected]" [email protected]

But after installing mailutils (apt-get install mailutils) all started flowing in.

Hope this sheds some light to anyone that has/had this issue.


From: Fabrice Triboix

I think rkhunter needs to be "enabled" by editing "/etc/default/rkhunter" and replacing `CRON_DAILY_RUN=""` by `CRON_DAILY_RUN="true"`

From: till

Rkhunter should not be enabled there. Rkhunter is run by ispconfig at night, by enabling it there you will cause your system to be scanned twice each day which just increases the load on your system.

From: Vlad

I have no mount point "/"

proc /proc proc defaults 0 0 none /dev/pts devpts rw,gid=5,mode=620 0 0 none /run/shm tmpfs defaults 0 0

From: till

Then you probably use a virtual machine. In this case, skip the fstab editing and proceed with the next step.

From: sxlderek

Got the following message when install rkhunter

Invalid SCRIPTWHITELIST configuration option: Non-existent pathname: /usr/bin/lwp-request

This is how to solve:

apt-get install libwww-perl rkhunter --check


From: S.A.L.

Just for information for everyone who has the same error like me:After installing ispconfig on Debian 8.4 (Jessie) I got the error 500 when I try to open the ispconfig login site and in the apache error log I found the message "mod_fcgid: error reading data from FastCGI server".The problem were wrong rights on the directory /var/www/php-fcgi-scripts. Owner und group of this directory are both root. "Others" have no read and execute rights on this. So if apache tries to open the wrapper script under /var/www/php-fcgi-scripts/ispconfig/ it is not able to open it because of the wrong rights.I solved this problem by adding read and execute rights for "others" on this folder: chmod o+rx /var/www/php-fcgi-scripts/Set this rights only on this directory, not on one of the subdirectories, because of security reasons.Instead of setting the read and execute for others, I think you can also change the group for this directory to one that contains all users who are owner of a website (and therefor are set as suexec user in the apache vhost settings). But I'm new to ispconfig and don't know if ispconfig is maintaining such a group. Does anybody know?

From: till

There are no permission changes nescessary on a correctly installed system, and your proposal opens up a security hole. The php-fcgi script and folder has to be owned by user and group ispconfig and only this user and group may read its content as the ispconfig vhost runs as user and group ispconfig with suexec. So please undo your permission change to secure your setup and then check if the suexec module is installed and enabled on your server. Maybe you had a different control panel installed before or your ISP has given you an unclean base image or you missed to run a command from this installation tutorial. If you need further help, please post in the forum.

From: CInabro

When you uncomment

bind-address =

Newset mariadb version need to be edited in:  /etc/mysql/mariadb.conf.d/50-server.cnf



From: Nicram


When I add 

AllowSupplementaryGroups true

Jun 10 10:03:17 isc clamd[1858]: ERROR: Parse error at line 90: Unknown option AllowSupplementaryGroups

From: till

This has changed a few days go with the last ClamAV update, see Debian bug report here Just remove that line.

From: Juergen


great Tutorial, i think all works fine except smtp.

I'll get this error: dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>

E-Mail sending via webmail work fine.

any idea?

best Juergen

From: Merlin


https://MY_IP_ADDRESS:8080/phpmyadmin/ -> "The requested URL /phpMyAdmin/ was not found on this server."



ln -s /etc/phpmyadmin/apache.conf /etc/apache2/conf-available/phpmyadmin.conf

a2enconf phpmyadmin

service apache2 reload

From: Ganesan


Suddenly my email server is not sending or receiving any emails.  Kindly help me on this.

From: Ganesan

When I try to connect from my email clients to the server, it says 'Cannot Connect Using SSL'.  Please help me to resolve the problem. (I am new to Linux and Dovecot and ISPConfig etc.,)

From: Alex

great! It is not clear if I can install php 7.x instead of php 5.6.x (or howto have multiphp running, i.e. 5.6 and 7.x).Ispconfig 3.0.5+ can run with php7?!?

Is there an howto explaining this? Thank you.

From: till

From: nif

I follow this tutorial. But now, What is the best IPTABLES config after install ISPconfig ? for a simple web server (dns / apache / local mysql) with 2/3 websites ?

I open thread here :

From: Nelson

Thanks for the tutorial, it was straight forward, it als have some lapses, I was able to use it because I was not new to linux, it can be enhanced by removing all the unwanted cluter.

Nice work



From: Mark

Where exactly have i to add/run step 21.1. Can any one tell me please?


From: limepo

I have fresh install Debian 8.x and I have not login by default password "admin". Where is problem?

ERROR Error Username or Password empty.

From: Gordon SCOTT

Perfect for me ! Everything works as planned ! Thanks for this !

From: Fladi

If you get an error while installing PHP-FPM (12.2)

Package libapache2-mod-fastcgi is not available, but is referred to by another package.This may mean that the package is missing, has been obsoleted, oris only available from another sourceE: Package 'libapache2-mod-fastcgi' has no installation candidate

... you have to add the debian jessie non-free repository.

Edit /etc/apt/sources.list and add

deb jessie non-freedeb-src jessie non-free

After this execute apt-get update.

From: till

Yes, as explained in chapter 5 of the tutorial.

From: NR02

Went through this entire guide step by step.


FTP gives me an error 530... any idea? I've even deleted and recreated the user in ISPCONFIG

From: brody

is fail2ban enabled for other users ( ispconfig admin user, etc, ) ??

From: till

Fail2ban is enabled for services like ssh, ftp, etc., the user does not matter for it's configuration.

From: Lukas

I have got a problem with the email section. When i am logged into the interface and click on email, it doesn't open the email part. I reinstalled my whole server and ISPConfig but it's still not working. Could you help me please?

From: till

Most likely you named the alias for the webmail client /mail and not /webmail as shown in the tutorial. Rename it to /webmail and restart apache.