The Perfect Server - Debian 9 (Stretch) with Apache, BIND, Dovecot, PureFTPD and ISPConfig 3.1

This tutorial shows how to prepare a Debian 9 server (with Apache2, BIND, Dovecot) for the installation of ISPConfig 3.1, and how to install ISPConfig. The web hosting control panel ISPConfig 3 allows you to configure the following services through a web browser: Apache or nginx web server, Postfix mail server, Courier or Dovecot IMAP/POP3 server, MySQL, BIND or MyDNS nameserver, PureFTPd, SpamAssassin, ClamAV, and many more. This setup covers Apache (instead of nginx), BIND, and Dovecot.

1 Preliminary Note

In this tutorial, I will use the hostname server1.example.com with the IP address 192.168.1.100 and the gateway 192.168.1.1. These settings might differ for you, so you have to replace them where appropriate. Before proceeding further you need to have a minimal installation of Debian 9. This might be a Debian minimal image from your Hosting provider or you use the Minimal Debian Server tutorial to setup the base system.

2 Install the SSH server (Optional)

If you did not install the OpenSSH server during the system installation, you can do it now:

apt-get install ssh openssh-server

From now on you can use an SSH client such as PuTTY and connect from your workstation to your Debian 9 server and follow the remaining steps from this tutorial.

3 Install a shell text editor (Optional)

We will use nano text editor in this tutorial. Some users prefer the classic vi editor, therefore we will install both editors here. The default vi program has some strange behavior on Debian and Ubuntu; to fix this, we install vim-nox:

apt-get install nano vim-nox

If vi is your favorite editor, then replace nano with vi in the following commands to edit files.

4 Configure the Hostname

The hostname of your server should be a subdomain like "server1.example.com". Do not use a domain name without subdomain part like "example.com" as hostname as this will cause problems later with your mail setup. First, you should check the hostname in /etc/hosts and change it when necessary. The line should be: "IP Address - space - full hostname incl. domain - space - subdomain part". For our hostname server1.example.com, the file shall look like this:

nano /etc/hosts

127.0.0.1       localhost.localdomain   localhost
192.168.1.100   server1.example.com     server1

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Then edit the /etc/hostname file:

nano /etc/hostname

It shall contain only the subdomain part, in our case:

server1

Finally, reboot the server to apply the change:

reboot

Log in again and check if the hostname is correct now with these commands:

hostname
hostname -f

The output shall be like this:

root@server1:/tmp# hostname
server1
root@server1:/tmp# hostname -f
server1.example.com

 

5 Update Your Debian Installation

First, make sure that your /etc/apt/sources.list contains the stretch/updates repository (this makes sure you always get the newest security updates), and that the contrib and non-free repositories are enabled as some required packages are not in the main repository.

nano /etc/apt/sources.list

deb http://ftp.us.debian.org/debian/ stretch main contrib non-free
deb-src http://ftp.us.debian.org/debian/ stretch main contrib non-free

deb http://security.debian.org/debian-security stretch/updates main contrib non-free
deb-src http://security.debian.org/debian-security stretch/updates main contrib non-free

Run:

apt-get update

To update the apt package database

apt-get upgrade

and to install the latest updates (if there are any).

 

6 Change the default Shell

/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore we do this:

dpkg-reconfigure dash

Use dash as the default system shell (/bin/sh)? <- no

If you don't do this, the ISPConfig installation will fail.

 

7 Synchronize the System Clock

It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the Internet. Simply run

apt-get install ntp

and your system time will always be in sync.

 

8 Install Postfix, Dovecot, MySQL, rkhunter, and Binutils

We can install Postfix, Dovecot, MySQL, rkhunter, and Binutils with a single command:

apt-get install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd sudo

When you prefer MySQL over MariaDB, replace the packages "mariadb-client mariadb-server" in the above command with "mysql-client mysql-server".

You will be asked the following questions:

General type of mail configuration: <-- Internet Site
System mail name: <-- server1.example.com

To secure the MariaDB / MySQL installation and to disable the test database, run this command:

mysql_secure_installation

Answer the questions as follows:

Change the root password? [Y/n] <-- y
New password: <-- Enter a new MySQL root password
Re-enter new password: <-- Repeat the MySQL root password
Remove anonymous users? [Y/n] <-- y
Disallow root login remotely? [Y/n] <-- y
Remove test database and access to it? [Y/n] <-- y
Reload privilege tables now? [Y/n] <-- y

Next, open the TLS/SSL and submission ports in Postfix:

nano /etc/postfix/master.cf

Uncomment the submission and smtps sections as follows and add lines where necessary so that this section of the master.cf file looks exactly like the one below.

[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING [...]

Restart Postfix afterwards:

service postfix restart

We want MySQL to listen on all interfaces, not just localhost. Therefore, we edit /etc/mysql/mariadb.conf.d/50-server.cnf and comment out the line bind-address = 127.0.0.1 and add the line sql-mode="NO_ENGINE_SUBSTITUTION":

nano /etc/mysql/mariadb.conf.d/50-server.cnf

[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           = 127.0.0.1

sql-mode="NO_ENGINE_SUBSTITUTION"

[...]

Set the password authentication method in MariaDB to native so we can use PHPMyAdmin later to connect as root user:

echo "update mysql.user set plugin = 'mysql_native_password' where user='root';" | mysql -u root

Edit the file /etc/mysql/debian.cnf and set the MYSQL / MariaDB root password there twice in the rows that start with password.

nano /etc/mysql/debian.cnf

The MySQL root password that needs to be added is shown in read, in this example the password is "howtoforge".

# Automatically generated for Debian scripts. DO NOT TOUCH!
[client]
host = localhost
user = root
password = howtoforge
socket = /var/run/mysqld/mysqld.sock
[mysql_upgrade]
host = localhost
user = root
password = howtoforge
socket = /var/run/mysqld/mysqld.sock
basedir = /usr

Then we restart MariaDB:

service mysql restart

Now check that networking is enabled. Run

netstat -tap | grep mysql

The output should look like this:

root@server1:/home/administrator# netstat -tap | grep mysql
tcp6 0 0 [::]:mysql [::]:* LISTEN 17776/mysqld
root@server1:/home/administrator#

 

9 Install Amavisd-new, SpamAssassin, and ClamAV

To install amavisd-new, SpamAssassin and ClamAV, we run

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl libdbd-mysql-perl postgrey

The ISPConfig 3 setup uses amavisd which loads the SpamAssassin filter library internally, so we can stop SpamAssassin to free up some RAM:

service spamassassin stop
systemctl disable spamassassin

9.1 Install Metronome XMPP Server (optional)

This step installs the Metronome XMPP Server which provides a chat server that is compatible with the XMPP protocol. This step is optional, if you do not need a chat server, then you can skip this step. No other ISPConfig functions depend on this software.

Add the Prosody package repository in Debian.

echo "deb http://packages.prosody.im/debian stretch main" > /etc/apt/sources.list.d/metronome.list
wget http://prosody.im/files/prosody-debian-packages.key -O - | sudo apt-key add -

Update the package list:

apt-get update

and install the packages with apt.

apt-get install git lua5.1 liblua5.1-0-dev lua-filesystem libidn11-dev libssl-dev lua-zlib lua-expat lua-event lua-bitop lua-socket lua-sec luarocks luarocks

luarocks install lpc

Add a shell user for Metronome.

adduser --no-create-home --disabled-login --gecos 'Metronome' metronome

Download Metronome to the /opt directory and compile it.

cd /opt; git clone https://github.com/maranda/metronome.git metronome
cd ./metronome; ./configure --ostype=debian --prefix=/usr
make
make install

Metronome has now be installed to /opt/metronome.

Share this page:

Suggested articles

39 Comment(s)

Add comment

Comments

From: Luther at: 2017-06-20 20:48:14

as soon as stretch released you updated your guides, thx for keeping up the hard work

From: nedkox at: 2017-06-23 19:23:48

http/2?

From: marc at: 2017-06-25 10:55:29

The underscore got me confused, it should be "NO_ENGINE_SUBSTITUTION"   . Hope it helps. 

sql-mode="NO_ENGINE_SUBSTITUTION"

From: Oscar at: 2017-06-26 04:11:56

I have a problem with IspConfig:

With initial configuration i create a user and a site y say this:

The following changes are not yet populated to all servers:

From: till at: 2017-06-26 07:47:10

Writing changes to disk takes about 1 Minute. If the changes have not been written after some time, then please make a post in the forum to get help with your installation issue. Instruction on how to find out what is failing in your install can be found at the end of this post: https://www.howtoforge.com/community/threads/please-read-before-posting.58408/

From: HelLViS69 at: 2017-06-29 20:47:41

Hi,I just installed a fresh Debian 9, but the new server doesn't send/receive emails.

I checked in the logs and the problem is amavis:giu 29 22:29:18 web amavis[21846]: Starting amavisd: ERROR: MISSING REQUIRED ADDITIONAL MODULES:giu 29 22:29:18 web amavis[21846]:   DBD::mysqlgiu 29 22:29:18 web amavis[21846]: (failed).

I checked apt repo and they are ok, the only package referring to DBD and mysql is libaprutil1-dbd-mysql which isn't installed

Anyone have a clue?

From: HelLViS69 at: 2017-07-06 11:31:52

Hi, I installed libdbd-mysql-perl and amavis is up and running.. I didn't try to send/receive mails yet

From: HelLViS69 at: 2017-07-07 20:04:15

Hi, I finally managed to send/receive mails. The first problem, as in the previous mail, was libdbd-mysql-perl missing. (email receiving)

Then I have a SASL login error, fixed installing libsasl2-modules.

The last error was sending mail with this error:status=deferred (connect to 127.0.0.1[127.0.0.1]:10026: Connection refused)

The problem here was in /etc/postfix/main.cf: content_filter = amavis:[127.0.0.1]:10024 while in /etc/postfix/tag_as_originating.re there was /^/ FILTER amavis:[127.0.0.1]:10026. Asap I changed the port to 10024, postfix started to send mails

From: tucuta at: 2017-07-01 06:07:32

This tutorial does not work. He already tried 3 times, he followed the steps well and there are two applications that do not ask for password.When I create a user and when I sync does not work. The message is: The following changes are not yet populated to all servers:

:-(

From: till at: 2017-07-01 06:57:08

The tutorial is working fine. Just had a user who reported to me yesterday that everything worked out of the box and I installed it myself by simple copy/paste of all commands 2 days ago as well without any issues. Your problem is an issue with your server and not the tutorial, when the base system is broken or not a clean fresh install, then the setup will fail. E.g. when services are already installed, then they will not ask for a password. And non-executing ISPConfig jobs can mean that you or the person that made the base install disabled the linux cron daemon. Please post in the forum here at howtoforge to get help with your server installation.

From: Linuxer at: 2017-07-01 17:26:34

Thank you for the new perfect server guide. Works great.

From: brody at: 2017-07-03 05:17:19

lstsencrypt does not enable under Sites -> Web domain

From: till at: 2017-07-03 09:03:08

This means that let's encrypt was not able to verify your domain. See let's encrypt FAQ post in the forum: https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/ and post in the Forum if you need further help on configuring your Domain for Let's encrypt.

From: Fab at: 2017-07-05 12:14:03

In order to get amavisd starting you need to install this package:

libdbd-mysql-perl

From: till at: 2017-07-05 12:21:27

I do not have to install this separately on my servers. I'll check that.

From: treki at: 2017-07-07 21:58:20

Configuring phpmyadmin:

ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using     ?    ? password: YES) . Your options are:                                       ?    ?  * abort - Causes the operation to fail; you will need to downgrade,     ?    ?    reinstall, reconfigure this package, or otherwise manually intervene  ?    ?    to continue using it. This will usually also impact your ability to   ?    ?    install other packages until the installation failure is resolved.    ?    ?  * retry - Prompts once more with all the configuration questions        ?    ?    (including ones you may have missed due to the debconf priority       ?    ?    setting) and makes another attempt at performing the operation.       ?    ?  * retry (skip questions) - Immediately attempts the operation again,    ?    ?    skipping all questions. This is normally useful only if you have      ?    ?    solved the underlying problem since the time the error occurred.      ?    ?  * ignore - Continues the operation ignoring dbconfig-common errors.     ?    ?    This will usually leave this package without a functional database.   ?    ?                                                                          ?    ? Next step for database installation:                                     ?    ?                                                                          ?    ?                          abort                                           ?    ?                          retry                                           ?    ?                          retry (skip questions)                          ?    ?                          ignore

 

What i must do?

From: till at: 2017-07-10 09:01:19

The error means that you entered a wrong MySQL root password when requested by apt.

From: treki at: 2017-07-07 22:29:11

The same problem  in the RoudCube install!

From: treki at: 2017-07-07 23:14:33

ISPconfig installation:

PHP Parse error:  syntax error, unexpected 'if' (T_IF), expecting function (T_FUNCTION) in /usr/local/ispconfig/server/plugins-available/apache2_plugin.inc.php on line 1189

The mysql-password problems are solved.

From: till at: 2017-07-10 08:54:08

Download ISPConfig again and install it.

From: Er1ck at: 2017-07-09 12:39:45

Till, congratulations for the tutorial! It didn't work for me on the first try but I believe in it. For many years, I've set up the systems by hand by the shell and now I want a new life with Ispconfig. :) I want to install it on multiple servers in the cloud and that's why I have a huge hope that it works well. I use Sendmail and Exim4, Postfix will be the first time.

Some servers are in the Google Cloud, which is very restrictive in many things. For email, I'm using Sendgrid with them. My question is if your tutorial and Ispconfig can work fine on a Google Cloud virtual machine using Sendgrip to send emails? The other servers are in Rackspace, Amazon WS and Digital Ocean. Are there any special recommendations for using the tutorial and Ispconfig in these hosting companies?

On special servers some Ispconfig features will be disabled.

 

Thank you so much!

From: till at: 2017-07-10 09:05:30

This setup works fine on cloud services as well. You can configure e.g. sendgrid as outgoing SMTP under System > Server config in ISPConfig. Btw. In case that you recieved that syntax error that the user posted abvoe when using the ISPConfig dev version from git, then just download ISPConfig dev again (or use the stable version which did not had that problem) as the problem has been resolved in the dev code.

From: Jose at: 2017-07-12 22:59:09

Hello, gives the following error, from inside of Ispconfig:

Is a new installation of a debian 9 in a vps, I tried 3 times installing the manual from the begining alwais with the same error, and doing the manual exactly.

Thank you.

postfix/smtpd[1664]: fatal: no SASL authentication mechanismspostfix/smtpd[1753]: fatal: no SASL authentication mechanisms

From: till at: 2017-07-13 06:48:26

There is no issue in the tutorial itself, mail on the resulting setup works flawlessly as you can see e.g. in the downloadable VM. Most likely, you made a mistake while editing the postfix config or you missed to install a package. Please post in the forum to get help with your configuration problem.

From: Zergling at: 2017-07-15 22:43:17

How to set quota when I have virtual machine running on LXC?And my /etc/fstab looks like this:# UNCONFIGURED FSTAB FOR BASE SYSTEM

From: till at: 2017-07-17 08:18:44

LXC does not has any real quota support. But there are some workarounds to get quota in LXC like this: https://www.howtoforge.com/tutorial/how-to-setup-virtual-containers-with-lxc-and-quota/

But you will probably see a performance decrease.

From: Solstice at: 2017-07-17 21:36:55

There is a issue with the Maria DB for Debian 9 and the echo "update mysql.user set plugin = 'mysql_native_password' where user='root';" | mysql -u root.

If you do the set plugin portion one will end up with a ERROR 1524 (HY000): Plugin  x is not loaded.

From research it seems to have to deal with Maria DB 10x or Mysql 5.7x as it has changed the tables for user passwords.

Please update this, as it gets frustrating during other install portions.

 

From: till at: 2017-07-18 10:39:16

Thank you for your report. I just tested the installation again on a fresh Debian 9 and there are no errors in the MySQL setup as shown in the tutorial. MySQL login with password works flawlessly and MySQL restarts without errors (neither on screen nor in the log file). Maybe you missed editing the debian.cnf file or you did not restart MySQL.

From: Ed at: 2017-07-27 16:15:33

Hi, Apache 2 won't start in section 10 - do you really mean httpoxy, or do you mean httproxy?

From: till at: 2017-07-27 16:26:24

Apache starts absolutely fine with that config here and yes, the name is 'httpoxy'. Don't you know what httpoxy is? Read here: https://httpoxy.org/

When apache does not start with that config, then you might have missed enabling the headers module in apache which is done in the a2enmod command above or you made a typo in one of the commands. In any case, you find the reason for the error that occurs on your server in the apache error.log file.

From: Ed at: 2017-07-27 16:27:46

Please ignore my just sent error report - there was a character missing from my /etc/apache2/conf-available/httpoxy.conf file which I corrected and which is now allowing apache2 to restart - a problem with vim and the mouse!

From: Quentin at: 2017-08-01 11:28:50

 hello,

 

# Automatically generated for Debian scripts. DO NOT TOUCH![client]host = localhostuser = rootpassword = howtoforgesocket = /var/run/mysqld/mysqld.sock[mysql_upgrade]host = localhostuser = rootpassword = howtoforgesocket = /var/run/mysqld/mysqld.sockbasedir = /usr

 

am i supposed to replace howto forge by my root password ? is it safe to let in clear a password?

From: till at: 2017-08-01 11:47:18

Yes, you have to replace it and yes, it's safe as the file can be read by the root user only and the password has to be set in cleartext there.

From: Quentin at: 2017-08-01 12:29:40

Thanks for the answer !

From: Nico at: 2017-08-04 00:37:27

I`ve received an 404-Error, when I`ve tried to acces phpMyAdmin.

Add:

Include /etc/phpmyadmin/apache.conf

at the bottom of /etc/apache2/apache2.conf solved my problem.

Rest works great! Thank you very much for this howto.

From: till at: 2017-08-04 07:10:37

When you select the apache installation option during PHPMyAdmin installation as shown in the tutorial, then adding this include manually is not needed.

From: ed at: 2017-08-07 06:04:03

Hi,  In step 12.1 shoud we also a2enconf php7.0-fpm like the terminal return tells us to, or is that a mistake?

From: till at: 2017-08-07 08:56:31

You should not run a2enconf php7.0-fpm.

From: ed at: 2017-08-07 18:42:54

I have the same question - in step 10 I am installing mariadb, yet I was not asked for a mysql root password! and I  am reinstalling because I followed this tutorial perfectly 2 days ago, and have not been able to send or receive mail with this production install, even though I did get it workign on a test vps - the only difference being that the test vps has exim4 installed, and this one does not. and the error is a failure to communicate with smpt - given in roundcube when I try to send mail.