There is a new version of this tutorial available for Debian 10 (Buster).

The Perfect Server - Debian 8.6 (nginx, BIND, Dovecot, ISPConfig 3.1)

This tutorial shows how to prepare a Debian Jessie server (with nginx, BIND, Dovecot) for the installation of ISPConfig 3.1, and how to install ISPConfig 3.1. ISPConfig 3 is a web hosting control panel that allows you to configure the following services through a web browser: Apache or nginx web server, Postfix mail server, Courier or Dovecot IMAP/POP3 server, MySQL, BIND or MyDNS nameserver, PureFTPd, SpamAssassin, ClamAV, and many more. This setup covers nginx (instead of Apache), BIND as DNS Server, and Dovecot as IMAP / POP3 server.


1 Preliminary Note

In this tutorial, I use the hostname with the IP address and the gateway These settings might differ for you, so you have to replace them where appropriate. Before proceeding further you need to have a minimal installation of Debian 8. This might be a Debian minimal image from your hosting provider or you use the Minimal Debian Server tutorial to setup the base system.


2 Install the SSH Server

If you did not install the OpenSSH server during the system installation, you can do it now:

apt-get -y install ssh openssh-server

From now on you can use an SSH client such as PuTTY and connect from your workstation to your Debian 8 server and follow the remaining steps from this tutorial.


3 Install a shell text editor (Optional)

I'll use nano text editor in this tutorial. Some users prefer the classic vi editor, therefore I will install both editors here. The default vi program has some strange behavior on Debian and Ubuntu; to fix this, we install vim-nox:

apt-get -y install nano vim-nox

(You don't have to do this if you use a different text editor such as joe.)


4 Configure the Hostname

The hostname of your server should be a subdomain like "". Do not use a domain name without subdomain part like "" as hostname as this will cause problems later with your mail setup. First, you should check the hostname in /etc/hosts and change it when necessary. The line should be: "IP Address - space - full hostname incl. domain - space - subdomain part". Edit /etc/hosts. Make it look like this:

nano /etc/hosts       localhost.localdomain   localhost     server1

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Then edit the /etc/hostname file:

nano /etc/hostname

It shall contain only the subdomain part, in our case:


Finally, reboot the server to apply the change:


Login again and check if the hostname is correct now with these commands:

hostname -f

The output shall be like this:

[email protected]:/tmp# hostname
[email protected]:/tmp# hostname -f


5 Update Your Debian Installation

First make sure that your /etc/apt/sources.list contains the wheezy-updates repository (this makes sure you always get the newest updates for the ClamAV virus scanner - this project publishes releases very often, and sometimes old versions stop working), and that the contrib and non-free repositories are enabled (some packages such as libapache2-mod-fastcgi are not in the main repository).

nano /etc/apt/sources.list
deb jessie main contrib non-free
deb-src jessie main contrib non-free

deb jessie/updates main contrib non-free
deb-src jessie/updates main contrib non-free

# Debian backports - Required for Letsencrypt
deb jessie-backports main

IMPORTANT: Add the Debian Backports repository as shown above.


apt-get update

to update the apt package database and

apt-get upgrade

to install the latest updates (if there are any).


6 Change the Default Shell

/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore we do this:

dpkg-reconfigure dash

Use dash as the default system shell (/bin/sh)? <-- No

If you don't do this, the ISPConfig installation will fail.


7 Synchronize the System Clock

It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the Internet. Simply run

apt-get install ntp

and your system time will always be in sync.


8 Install Postfix, Dovecot, MySQL, rkhunter, binutils

We can install Postfix, Dovecot, MySQL, rkhunter, and Binutils with a single command:

apt-get install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd sudo

You will be asked the following questions:

General type of mail configuration: <-- Internet Site
System mail name: <--
New password for the MariaDB "root" user: <-- yourrootsqlpassword
Repeat password for the MariaDB "root" user: <-- yourrootsqlpassword

To secure the MariaDB / MySQL installation and to disable the test database, run this command:


We don't have to change the MySQL root password as we just set a new one during installation. Answer the questions as follows:

Change the root password? [Y/n] <-- n
Remove anonymous users? [Y/n] <-- y
Disallow root login remotely? [Y/n] <-- y
Remove test database and access to it? [Y/n] <-- y
Reload privilege tables now? [Y/n] <-- y

Next open the TLS/SSL and submission ports in Postfix:

nano /etc/postfix/

Uncomment the submission and smtps sections as follows (leave -o milter_macro_daemon_name=ORIGINATING as we don't need it):

submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING [...]

Restart Postfix afterwards:

service postfix restart

We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address =

nano /etc/mysql/my.cnf
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           =

Then we restart MySQL:

service mysql restart

Now check that networking is enabled. Run

netstat -tap | grep mysql

The output should look like this:

[email protected]:~# netstat -tap | grep mysql
tcp        0      0 *:mysql                 *:*                     LISTEN      218123/mysqld
[email protected]:~#


9 Install Amavisd-new, SpamAssassin, and Clamav

To install amavisd-new, SpamAssassin, and ClamAV, we run:

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl postgrey

The ISPConfig 3 setup uses amavisd which loads the SpamAssassin filter library internally, so we can stop SpamAssassin to free up some RAM:

service spamassassin stop
systemctl disable spamassassin

9.1 Install Metronome XMPP Server (optional)

This step installs the Metronome XMPP Server which provides a chat server that is compatible with the XMPP protocol. This step is optional, if you do not need a chat server, then you can skip this step. No other ISPConfig functions depend on this software.

Add the Prosody package repository in Debian.

echo "deb jessie main" > /etc/apt/sources.list.d/metronome.list
wget -O - | sudo apt-key add -

Update the package list:

apt-get update

Install the programs that are required for the build process

apt-get install build-essential

and install the packages with apt.

apt-get install git lua5.1 liblua5.1-0-dev lua-filesystem libidn11-dev libssl-dev lua-zlib lua-expat lua-event lua-bitop lua-socket lua-sec luarocks luarocks
luarocks install lpc

Add a shell user for Metronome.

adduser --no-create-home --disabled-login --gecos 'Metronome' metronome

Download Metronome to the /opt directory and compile it.

cd /opt; git clone metronome
cd ./metronome; ./configure --ostype=debian --prefix=/usr
make install

Metronome has now be installed to /opt/metronome.

Share this page:

51 Comment(s)

Add comment

Please register in our forum first to comment.


By: Franck63

Hi Till,

Thank you  very much for yet again an excellent tutorial or should i say a perfect one!

While verifying  the provided services I get a " was not found" when trying to use the webmail (roundcube page).

My install went like this

1-   I imported the ova image downloaded from here

2-   I change the locales and keyboard mapping and adjusted the time zone and ntp

3-   I changed some of the users passwords

4-   I changed the server hostname to

5-   I verified the installation and now reporting this.

I think I have a problem with the host name not being changed for the services like mail and probably others

I can clearly see that when I look at the logs.

Is there a procedure explaining what needs to be done when customizing an ova image

Any help would be much appreciated

Best Regards



By: till

There is no guide for custimizing the images yet, but I should write one :) The hostname needs to be changed in these places:






Then check /etc/postfix/, if it occurs anywhere in that file, then change it there too.


Then reboot the server. Finally you should change the hostname in ISPConfig under System > Server config.


Regarding roundcube file, I'll check that. It worked yesterday at the time I build the image but it might be that I missed or altered something after I checked roundcube.

By: Tony

Hi Till, I make a new instalation on debian jessie 8.6 isp3.1 according this tutorial (I use apache instead). But I have problem with import mailboxes from csv template (I download mailbox_import_advanced simple script last yaer and used it with old version many times gracefully) - just notting happens when I click button "Import". Work arround on this I try to import settings from other ISP3.0.5.4p9 with Import ISPConfig mail with remote user, but not success! On Interface just receive error "Could not connect to host" 

By: till

The mailbox import script is for ISPConfig 3.0. ISPConfig 3.1 has a different UI so that extensions from ispconfig 3.0 need to be modified as the function to submit a html form that was used in ispconfig 3.0 has been replaced.

By: Franck63

Hi Till,

Thank you for the reply

Yes a guide to customizing those images would be invaluable (Time is Money) ;)

I did all 4 file modifications for hostname and also in ISPConfig.

the roundcube worked at one point. but then I completed my customization by changing the rest of the passwords and now

I'm back with same result in Roundcube " was not found."

Looking at step 18 in your tutorial I now guess that the problem is with the roundcube mysql password !

I'm looking into this!

Any suggestions ?

Wir müssen das Eisen jetzt schmieden, solange es heiß ist



By: till

The file exists in the vmware image, so you might have deleted it while doing the customizations. To change the password of the roundcube mysql user, edit this file:


The password is in the line "$dbpass=". Then edit the password of the MySQL user with the name "roundcube" in phpmyadmin by using the phpmyadmin user editor.

By: Stoyan Dimitrov

Hi, what about bulk import emails into ispconfig 3.1.  p1

By: Edijs

 How to make accest to custom link like

By: Edijs

I get error when try login to webmail. 



By: till

The webmail URL is as shown in the tutorial and not

By: Edijs

Thank you but still get 

404 Not Found


By: Edijs

Reinstall its ok now. 

By: Nomad


why: apt-get install python-certbot-apache -t jessie-backports

and not: apt-get install python-certbot-nginx -t jessie-backports ?

By: Nomad


do you know why I get this warning and what is it ?

Email Address []:NC postconf: warning: unmatched request: "maildrop.unix" Configuring Mailman Configuring Dovecot...


By: Terje

Could not install hhvm. apt-get didnt find the package. So i found this site that explained how to compile it from source.

But in the end, i got this error:

CMake Error at CMakeLists.txt:41 (MESSAGE):

  HHVM requires a 64bit OS

-- Configuring incomplete, errors occurred!

is hhvm required for ISPconfig?

By: till

HHVM requires a 64Bit OS and you seem to have a 32Bit os. ISPConfig will work without HHVM, you just can not use the HHVM PHP-Mode then.

By: Thierry

Thanks a lot for your amazing tutorials.

I successfully followed the full installation, included additionnal php 7.1.

UNfortunately, since I realised it got nginx from debian repo which was 1.6 version, while current stable version is 1.10, I updated nginx with command lines below.

Now nginx is working, I can ie display a phpinfo page, but ispconfig admin page is not accessible anymore on 8080 port.

I tried to play with its vhost setup without success.

Your help would be very helpful, I'm stuck :(. Thanks a lot

$ sudo sh -c "echo 'deb `lsb_release -cs` nginx' >> /etc/apt/sources.list" $ sudo sh -c "echo 'deb-src `lsb_release -cs` nginx' >> /etc/apt/sources.list" $ curl | apt-key add -$ dpkg -i --force-overwrite /var/cache/apt/archives/nginx_1.10.2-1~jessie_amd64.deb

By: Thierry

In addition to last comment, this is actual ispconfig sites-available vhost :

server {        listen 8080;        listen [::]:8080 ipv6only=on;                ssl on;                ssl_protocols TLSv1 TLSv1.1 TLSv1.2;        ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt;        ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key;        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES$        ssl_prefer_server_ciphers on;                # redirect to https if accessed with http                error_page 497 https://$host:8080$request_uri;        server_name MYSERVER_NAME;        root   /usr/local/ispconfig/interface/web/;        client_max_body_size 20M;        location / {               index.php index.html;#               try_files $uri $uri/ =404;        }        # serve static files directly        location ~* ^.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt)$ {               access_log        off;        }       location ~ \.php$ {#               include /etc/nginx/snippets/fastcgi-php.conf;#               fastcgi_pass unix:/var/run/php5-fpm.sock;                try_files $uri =404;               include /etc/nginx/fastcgi_params;                fastcgi_pass unix:/var/lib/php5-fpm/ispconfig.sock;                fastcgi_index index.php;                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;                fastcgi_param PATH_INFO $fastcgi_script_name;                fastcgi_buffer_size 128k;                fastcgi_buffers 256 4k;                fastcgi_busy_buffers_size 256k;                fastcgi_temp_file_write_size 256k;                fastcgi_read_timeout 1200;                fastcgi_temp_file_write_size 256k;                fastcgi_read_timeout 1200;                fastcgi_param HTTP_PROXY "";        }        location ~ /\. {               deny  all;        }


Hope you can help ! Sincerely

By: Thierry

Hi Till, very last comment I promise ;-)

I could access ispconfig UI after restoring original ispconfig.vhost and editing as following :

#include /etc/nginx/conf.d/*.conf;include /etc/nginx/sites-enabled/*.vhost;

I don't know if it will be enough for future administration of sites from ispconfig, or if I'll encounter more and more troubles... ?

Any comment about that configuration would be really appreciated. Thank you again for all your tutorials.

Kind regards.

By: nababan

Hi... Thank you for the tutorial,

I use your tutorial to install my existing Bind9 server, but after complte i found that named is conflicted.. just realized that there is Bind config in this tutorial. Please enlighten me ho to solve this named/bind conflict, thank you so much

By: helios

hi, I have two problems:

what's log & pass by default for roundcube?

and for isp3 I can't log in. I put admin/admin and this don't work, can you help me? thx

By: till

You login with the amil account details to roundcube. Create an email account in ispconfig and then use the email address plus password for the login to roundcube.

By: Mark Vang

Install RoundCube with this command does not work with the debian 8. it uable to locate package roundcube, core, mysql, plugin

By: till

The packages exist in Debian 8. Compare your /etc/apt/sources.list file with the one of this tutorial.

By: Leigh

Hi, quick question, at the part when you say "check the network is running with: netstat -tap | grep mysql" I am getting results in ipv6 instead of ipv4. Like this:

tcp6   0 0   [::]:mysql    [::]:*     LISTEN       27062/mysqld

how can I ensure i get an ipv4 result instead? 

By: Andrey

Isn't it a little typo with certbot installation? Since this is an nginx server, the package for letsencypt certificate should be python-certbot-nginx (not python-certbot-apache).

By: Ben

Hi, Roundcube not working. Gives a blank screen. 

By: Thierry

Hi Till,   I have these mail error logs : - dovecot: imap-login: Fatal: Can't load private ssl_key: Key is for a different cert than ssl_cert - dovecot: master: Error: service(imap-login): command startup failed, throttling for 60 secs   I did no customization to default config, I'm wondering how to solve it ? This is the beginning of dovecot.conf : listen = *,[::]protocols = imap pop3auth_mechanisms = plain logindisable_plaintext_auth = nolog_timestamp = "%Y-%m-%d %H:%M:%S "mail_privileged_group = vmailssl_cert = </etc/postfix/smtpd.certssl_key = </etc/postfix/smtpd.keyssl_protocols = !SSLv2 !SSLv3 Any help to put my on the right track would be really appreciated. Thank you. Best regards

By: Rand

perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = (unset), LC_ALL = (unset), LANG = "en_US.UTF-8" are supported and installed on your system. perl: warning: Falling back to the standard locale ("C").

I got this error, and resolved it with the following command. 

% env LANG=C perl -e exit %

By: Kuanysh

Installed ISPConfig with this tutorial. But getting error 403 on websites.

By: Nicholas

Hi, i have a issue with debian 8

[email protected]:~# quotacheck -avugm

quotacheck: Cannot stat() mounted device /dev/root: No such file or directory

quotacheck: Cannot find filesystem to check or filesystem not mounted with quota option.

in fstab i don't have "/dev/root" but "/dev/sda2" how fix this error? Thanks!

By: Abdelkarim Mateos

apt-get install roundcube roundcube-core roundcube-mysql roundcube-plugins

Reading package lists... Done

Building dependency tree

Reading state information... Done

E: Unable to locate package roundcube

E: Unable to locate package roundcube-core

E: Unable to locate package roundcube-mysql

E: Unable to locate package roundcube-plugins


Edit manual for correct steps.

echo "deb jessie-backports main" >> /etc/apt/sources.list

apt-get update

By: Abdelkarim Mateos

Not work my last post... beacuse backwards force install apache... 

By: Thomas

Dear Author,

How can I get back to nginx? I've followed the Tut for Deb7 (Wheezy) a vew moths before and had nginx there. Now I've reset my server and reinstalled everything from scratch. I did all the steps of the tutorial, but still have one problem: When i open the root-web-page theres a big box saying: Apache2 Debian Default Page.

Are there even differences between nginx and apache? I only now, nginx worked fine.Thank you!Thomas

By: till

You probably have already nginx. The default page shows always apache, it is a fixed text and does not indicate which web server you use, no matter if apache or nginx is installed.

By: Julius

Followed it to the letter (with one exception, I used the nginx repo to get a newer nginx in my Debian 8..) ISPconfig install gave me two warnings, with probably the same cause:

At this stage I got:

Configuring Apps vhostPHP Warning:  symlink(): No such file or directory in /tmp/ispconfig3_install/install/lib/installer_base.lib.php on line 2101Install ISPConfig Web Interface (y,n) [y]:Looked it up, it's this line at 2101:    symlink($vhost_conf_dir.'/apps.vhost', $vhost_conf_enabled_dir.'/000-apps.vhost');Then, later on, at this point:

PHP Warning:  symlink(): No such file or directory in /tmp/ispconfig3_install/install/lib/installer_base.lib.php on line 2540Configuring DBServerInstalling ISPConfig crontab

Looked it up, this is that line 2540:    symlink($vhost_conf_dir.'/ispconfig.vhost', $vhost_conf_enabled_dir.'/000-ispconfig.vhost');

Because, well, ISPconfig webui does not appear at the given URL:port.. Solution?

By: till

>  I used the nginx repo to get a newer nginx in my Debian 8..

And that's the reason for your error, you installed an incompatibe nginx package and therefre the installation failed asy our package used different paths then the one from Debian. Uninstall ispconfig, uninstall the nginx package that you installed, then install the Debian Nginx package as described in the tutorial and then install ISPConfig again.


Good Job! 

By: Susan

Everything went fairly smooth considering never used debian before:)

Have error with Roundcube:


CONFIGURATION ERROR was not found.Please read the INSTALL instructions!


Have searched around and seen advice on possible fix but nohting seems to work.

Can access the page <IP>:8081/squirrelmail/ but above error message. How can I fix this?

Many thanks in advance.



By: monnoliv


Ty again for this great tutorial.

Just one question, since we install fail2ban, is this one prtected against ipv6 ssh attacks ?



By: Jonathan

soon or later

mariadb config is : nano /etc/mysql/mariadb.conf.d/50-server.cnf

and don't depend on mysql config anymore

nano /etc/mysql/my.cnf

By: brody

this line does not work with current postfix 

( -o smtpd_client_restrictions=permit_sasl_authenticated,reject )

By: till

The line works fine with the latest postfix that ships with Debian 8. Maybe you missed to add a whitspce (or two) in front of the line.

By: CS

So to get you right:Step 11 - Install LetsEncryptStep 13 - Create a self-signed SSL cert for FTP?!--Why..?

By: till

That's correct and intended this way. The letsencrypt installation is for website SSL certs hosted in ISPConfig later. A self-signed SSL cert is used for FTP as it is required for the setup at that point and on many setups, you don't have a domain name that is externally reachable by LE at that setup stage, so these setups would fail without creating the self signed cert. You can later replace the cert with an LE cert of course, see e.g. here:

By: Ray

I used the 8.4 apache tutorial to get certbot


mkdir /opt/certbotcd /opt/certbotwget a+x ./certbot-auto


Now run the certboot-auto command which will download and install the software and it's dependencies.




By: roller24

couldn't do a setup without you, thanks so much...


After a default setup with no mailboxes established, Firefox complains of insecure login on Roundcube... Chrome doesn't. is the login using TLS?


By: Fefu

Thank you for this tutorial. It is very precise, informative, and useful. Two great projects Debian and ISPConfig are joined together with your wisdom.

By: vclarine


I am triying this tutorial but i can not the debian 8.6 version. I could not get the old version jessie 8.6 on debian site. Can somebody help me ?


By: NJel

edit /etc/postfix/

mydestination =, , localhost

By: Marin

They already have another recommended way to install letsencrypt ( ).

wget sudo mv certbot-auto /usr/local/bin/certbot-auto sudo chown root /usr/local/bin/certbot-auto sudo chmod 0755 /usr/local/bin/certbot-auto