The Perfect Server - Debian 8.6 (nginx, BIND, Dovecot, ISPConfig 3.1)

This tutorial shows how to prepare a Debian Jessie server (with nginx, BIND, Dovecot) for the installation of ISPConfig 3.1, and how to install ISPConfig 3.1. ISPConfig 3 is a web hosting control panel that allows you to configure the following services through a web browser: Apache or nginx web server, Postfix mail server, Courier or Dovecot IMAP/POP3 server, MySQL, BIND or MyDNS nameserver, PureFTPd, SpamAssassin, ClamAV, and many more. This setup covers nginx (instead of Apache), BIND as DNS Server, and Dovecot as IMAP / POP3 server.

 

1 Preliminary Note

In this tutorial, I use the hostname server1.example.com with the IP address 192.168.1.100 and the gateway 192.168.1.1. These settings might differ for you, so you have to replace them where appropriate. Before proceeding further you need to have a minimal installation of Debian 8. This might be a Debian minimal image from your hosting provider or you use the Minimal Debian Server tutorial to setup the base system.

 

2 Install the SSH Server

If you did not install the OpenSSH server during the system installation, you can do it now:

apt-get -y install ssh openssh-server

From now on you can use an SSH client such as PuTTY and connect from your workstation to your Debian 8 server and follow the remaining steps from this tutorial.

 

3 Install a shell text editor (Optional)

I'll use nano text editor in this tutorial. Some users prefer the classic vi editor, therefore I will install both editors here. The default vi program has some strange behavior on Debian and Ubuntu; to fix this, we install vim-nox:

apt-get -y install nano vim-nox

(You don't have to do this if you use a different text editor such as joe.)

 

4 Configure the Hostname

The hostname of your server should be a subdomain like "server1.example.com". Do not use a domain name without subdomain part like "example.com" as hostname as this will cause problems later with your mail setup. First, you should check the hostname in /etc/hosts and change it when necessary. The line should be: "IP Address - space - full hostname incl. domain - space - subdomain part". Edit /etc/hosts. Make it look like this:

nano /etc/hosts

127.0.0.1       localhost.localdomain   localhost
192.168.1.100   server1.example.com     server1

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Then edit the /etc/hostname file:

nano /etc/hostname

It shall contain only the subdomain part, in our case:

server1

Finally, reboot the server to apply the change:

reboot

Login again and check if the hostname is correct now with these commands:

hostname
hostname -f

The output shall be like this:

root@server1:/tmp# hostname
server1
root@server1:/tmp# hostname -f
server1.example.com

 

5 Update Your Debian Installation

First make sure that your /etc/apt/sources.list contains the wheezy-updates repository (this makes sure you always get the newest updates for the ClamAV virus scanner - this project publishes releases very often, and sometimes old versions stop working), and that the contrib and non-free repositories are enabled (some packages such as libapache2-mod-fastcgi are not in the main repository).

nano /etc/apt/sources.list

deb http://ftp.us.debian.org/debian/ jessie main contrib non-free
deb-src http://ftp.us.debian.org/debian/ jessie main contrib non-free

deb http://security.debian.org/ jessie/updates main contrib non-free
deb-src http://security.debian.org/ jessie/updates main contrib non-free

# Debian backports - Required for Letsencrypt
deb http://ftp.debian.org/debian jessie-backports main

IMPORTANT: Add the Debian Backports repository as shown above.

Run

apt-get update

to update the apt package database and

apt-get upgrade

to install the latest updates (if there are any).

 

6 Change the Default Shell

/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore we do this:

dpkg-reconfigure dash

Use dash as the default system shell (/bin/sh)? <-- No

If you don't do this, the ISPConfig installation will fail.

 

7 Synchronize the System Clock

It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the Internet. Simply run

apt-get install ntp ntpdate

and your system time will always be in sync.

 

8 Install Postfix, Dovecot, MySQL, phpMyAdmin, rkhunter, binutils

We can install Postfix, Dovecot, MySQL, rkhunter, and Binutils with a single command:

apt-get install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd sudo

You will be asked the following questions:

General type of mail configuration: <-- Internet Site
System mail name: <-- server1.example.com
New password for the MariaDB "root" user: <-- yourrootsqlpassword
Repeat password for the MariaDB "root" user: <-- yourrootsqlpassword

To secure the MariaDB / MySQL installation and to disable the test database, run this command:

mysql_secure_installation

We don't have to change the MySQL root password as we just set a new one during installation. Answer the questions as follows:

Change the root password? [Y/n] <-- n
Remove anonymous users? [Y/n] <-- y
Disallow root login remotely? [Y/n] <-- y
Remove test database and access to it? [Y/n] <-- y
Reload privilege tables now? [Y/n] <-- y

Next open the TLS/SSL and submission ports in Postfix:

nano /etc/postfix/master.cf

Uncomment the submission and smtps sections as follows (leave -o milter_macro_daemon_name=ORIGINATING as we don't need it):

[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING [...]

Restart Postfix afterwards:

service postfix restart

We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:

nano /etc/mysql/my.cnf

[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           = 127.0.0.1
[...]

Then we restart MySQL:

service mysql restart

Now check that networking is enabled. Run

netstat -tap | grep mysql

The output should look like this:

root@server1:~# netstat -tap | grep mysql
tcp        0      0 *:mysql                 *:*                     LISTEN      218123/mysqld
root@server1:~#

 

9 Install Amavisd-new, SpamAssassin, and Clamav

To install amavisd-new, SpamAssassin, and ClamAV, we run:

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl postgrey

The ISPConfig 3 setup uses amavisd which loads the SpamAssassin filter library internally, so we can stop SpamAssassin to free up some RAM:

service spamassassin stop
systemctl disable spamassassin

9.1 Install Metronome XMPP Server (optional)

This step installs the Metronome XMPP Server which provides a chat server that is compatible with the XMPP protocol. This step is optional, if you do not need a chat server, then you can skip this step. No other ISPConfig functions depend on this software.

Add the Prosody package repository in Debian.

echo "deb http://packages.prosody.im/debian jessie main" > /etc/apt/sources.list.d/metronome.list
wget http://prosody.im/files/prosody-debian-packages.key -O - | sudo apt-key add -

Update the package list:

apt-get update

Install the programs that are required for the build process

apt-get install build-essential

and install the packages with apt.

apt-get install git lua5.1 liblua5.1-0-dev lua-filesystem libidn11-dev libssl-dev lua-zlib lua-expat lua-event lua-bitop lua-socket lua-sec luarocks luarocks

luarocks install lpc

Add a shell user for Metronome.

adduser --no-create-home --disabled-login --gecos 'Metronome' metronome

Download Metronome to the /opt directory and compile it.

cd /opt; git clone https://github.com/maranda/metronome.git metronome
cd ./metronome; ./configure --ostype=debian --prefix=/usr
make
make install

Metronome has now be installed to /opt/metronome.

Share this page:

Suggested articles

31 Comment(s)

Add comment

Comments

From: Franck63 at: 2016-12-09 00:08:39

Hi Till,

Thank you  very much for yet again an excellent tutorial or should i say a perfect one!

While verifying  the provided services I get a "config.inc.php was not found" when trying to use the webmail (roundcube page).

My install went like this

1-   I imported the ova image downloaded from here

2-   I change the locales and keyboard mapping and adjusted the time zone and ntp

3-   I changed some of the users passwords

4-   I changed the server hostname to ns1.something.com

5-   I verified the installation and now reporting this.

I think I have a problem with the host name not being changed for the services like mail and probably others

I can clearly see that when I look at the logs.

Is there a procedure explaining what needs to be done when customizing an ova image

Any help would be much appreciated

Best Regards

F.

 

From: till at: 2016-12-09 07:44:33

There is no guide for custimizing the images yet, but I should write one :) The hostname needs to be changed in these places:

 

/etc/hosts

/etc/hostname

/etc/mailname

 

Then check /etc/postfix/main.cf, if it occurs anywhere in that file, then change it there too.

 

Then reboot the server. Finally you should change the hostname in ISPConfig under System > Server config.

 

Regarding roundcube file, I'll check that. It worked yesterday at the time I build the image but it might be that I missed or altered something after I checked roundcube.

From: Tony at: 2016-12-09 08:29:51

Hi Till, I make a new instalation on debian jessie 8.6 isp3.1 according this tutorial (I use apache instead). But I have problem with import mailboxes from csv template (I download mailbox_import_advanced simple script last yaer and used it with old version 3.0.xxx many times gracefully) - just notting happens when I click button "Import". Work arround on this I try to import settings from other ISP3.0.5.4p9 with Import ISPConfig mail with remote user, but not success! On Interface just receive error "Could not connect to host" 

From: till at: 2016-12-09 17:05:09

The mailbox import script is for ISPConfig 3.0. ISPConfig 3.1 has a different UI so that extensions from ispconfig 3.0 need to be modified as the function to submit a html form that was used in ispconfig 3.0 has been replaced.

From: Franck63 at: 2016-12-09 16:41:31

Hi Till,

Thank you for the reply

Yes a guide to customizing those images would be invaluable (Time is Money) ;)

I did all 4 file modifications for hostname and also in ISPConfig.

the roundcube worked at one point. but then I completed my customization by changing the rest of the passwords and now

I'm back with same result in Roundcube "config.inc.php was not found."

Looking at step 18 in your tutorial I now guess that the problem is with the roundcube mysql password !

I'm looking into this!

Any suggestions ?

Wir müssen das Eisen jetzt schmieden, solange es heiß ist

F.

 

From: till at: 2016-12-09 17:03:20

The config.inc.php file exists in the vmware image, so you might have deleted it while doing the customizations. To change the password of the roundcube mysql user, edit this file:

/etc/roundcube/debian-db.php

The password is in the line "$dbpass=". Then edit the password of the MySQL user with the name "roundcube" in phpmyadmin by using the phpmyadmin user editor.

From: Stoyan Dimitrov at: 2016-12-12 08:35:49

Hi, what about bulk import emails into ispconfig 3.1.  p1

From: Edijs at: 2016-12-12 18:35:44

 How to make http://192.168.1.100:8081/webmail accest to custom link like http://clientdomain.com/mail

From: Edijs at: 2016-12-12 18:47:32

I get error when try login to webmail.

https://10.10.10.195:8081/webmail 

ERR_SSL_PROTOCOL_ERROR

 

From: till at: 2016-12-13 08:36:19

The webmail URL is http://10.10.10.195:8081/webmail as shown in the tutorial and not https://10.10.10.195:8081/webmail.

From: Edijs at: 2016-12-13 09:35:23

Thank you but still get 

404 Not Found

nginx/1.6.2

From: Edijs at: 2016-12-14 10:59:43

Reinstall its ok now. 

From: Nomad at: 2016-12-20 14:47:50

Hi,

why: apt-get install python-certbot-apache -t jessie-backports

and not: apt-get install python-certbot-nginx -t jessie-backports ?

From: Nomad at: 2016-12-20 17:29:47

Hi,

do you know why I get this warning and what is it ?

Email Address []:NC postconf: warning: unmatched request: "maildrop.unix" Configuring Mailman Configuring Dovecot...

Thanks

From: Terje at: 2016-12-22 17:38:24

Could not install hhvm. apt-get didnt find the package. So i found this site that explained how to compile it from source. https://docs.hhvm.com/hhvm/installation/building-from-source#debian-8-jessie

But in the end, i got this error:

CMake Error at CMakeLists.txt:41 (MESSAGE):

  HHVM requires a 64bit OS

-- Configuring incomplete, errors occurred!

is hhvm required for ISPconfig?

From: till at: 2016-12-22 17:43:52

HHVM requires a 64Bit OS and you seem to have a 32Bit os. ISPConfig will work without HHVM, you just can not use the HHVM PHP-Mode then.

From: Thierry at: 2017-01-03 21:05:04

Thanks a lot for your amazing tutorials.

I successfully followed the full installation, included additionnal php 7.1.

UNfortunately, since I realised it got nginx from debian repo which was 1.6 version, while current stable version is 1.10, I updated nginx with command lines below.

Now nginx is working, I can ie display a phpinfo page, but ispconfig admin page is not accessible anymore on 8080 port.

I tried to play with its vhost setup without success.

Your help would be very helpful, I'm stuck :(. Thanks a lot

$ sudo sh -c "echo 'deb http://nginx.org/packages/debian/ `lsb_release -cs` nginx' >> /etc/apt/sources.list" $ sudo sh -c "echo 'deb-src http://nginx.org/packages/debian/ `lsb_release -cs` nginx' >> /etc/apt/sources.list" $ curl https://nginx.org/keys/nginx_signing.key | apt-key add -$ dpkg -i --force-overwrite /var/cache/apt/archives/nginx_1.10.2-1~jessie_amd64.deb

From: Thierry at: 2017-01-03 21:22:15

In addition to last comment, this is actual ispconfig sites-available vhost :

server {        listen 8080;        listen [::]:8080 ipv6only=on;                ssl on;                ssl_protocols TLSv1 TLSv1.1 TLSv1.2;        ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt;        ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key;        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES$        ssl_prefer_server_ciphers on;                # redirect to https if accessed with http                error_page 497 https://$host:8080$request_uri;        server_name MYSERVER_NAME;        root   /usr/local/ispconfig/interface/web/;        client_max_body_size 20M;        location / {               index.php index.html;#               try_files $uri $uri/ =404;        }        # serve static files directly        location ~* ^.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt)$ {               access_log        off;        }       location ~ \.php$ {#               include /etc/nginx/snippets/fastcgi-php.conf;#               fastcgi_pass unix:/var/run/php5-fpm.sock;                try_files $uri =404;               include /etc/nginx/fastcgi_params;                fastcgi_pass unix:/var/lib/php5-fpm/ispconfig.sock;                fastcgi_index index.php;                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;                fastcgi_param PATH_INFO $fastcgi_script_name;                fastcgi_buffer_size 128k;                fastcgi_buffers 256 4k;                fastcgi_busy_buffers_size 256k;                fastcgi_temp_file_write_size 256k;                fastcgi_read_timeout 1200;                fastcgi_temp_file_write_size 256k;                fastcgi_read_timeout 1200;                fastcgi_param HTTP_PROXY "";        }        location ~ /\. {               deny  all;        }

 

Hope you can help ! Sincerely

From: Thierry at: 2017-01-04 08:54:26

Hi Till, very last comment I promise ;-)

I could access ispconfig UI after restoring original ispconfig.vhost and editing as following :

#include /etc/nginx/conf.d/*.conf;include /etc/nginx/sites-enabled/*.vhost;

I don't know if it will be enough for future administration of sites from ispconfig, or if I'll encounter more and more troubles... ?

Any comment about that configuration would be really appreciated. Thank you again for all your tutorials.

Kind regards.

From: nababan at: 2017-01-11 11:25:04

Hi... Thank you for the tutorial,

I use your tutorial to install my existing Bind9 server, but after complte i found that named is conflicted.. just realized that there is Bind config in this tutorial. Please enlighten me ho to solve this named/bind conflict, thank you so much

From: helios at: 2017-01-18 19:50:58

hi, I have two problems:

what's log & pass by default for roundcube?

and for isp3 I can't log in. I put admin/admin and this don't work, can you help me? thx

From: till at: 2017-01-19 08:11:01

You login with the amil account details to roundcube. Create an email account in ispconfig and then use the email address plus password for the login to roundcube.

From: Mark Vang at: 2017-01-19 03:58:35

Install RoundCube with this command does not work with the debian 8. it uable to locate package roundcube, core, mysql, plugin

From: till at: 2017-01-19 08:11:49

The packages exist in Debian 8. Compare your /etc/apt/sources.list file with the one of this tutorial.

From: Leigh at: 2017-01-27 06:33:11

Hi, quick question, at the part when you say "check the network is running with: netstat -tap | grep mysql" I am getting results in ipv6 instead of ipv4. Like this:

tcp6   0 0   [::]:mysql    [::]:*     LISTEN       27062/mysqld

how can I ensure i get an ipv4 result instead? 

From: Andrey at: 2017-02-02 22:49:17

Isn't it a little typo with certbot installation? Since this is an nginx server, the package for letsencypt certificate should be python-certbot-nginx (not python-certbot-apache).

From: Ben at: 2017-02-04 10:28:48

Hi, Roundcube not working. Gives a blank screen. 

From: Thierry at: 2017-02-05 23:01:29

Hi Till,   I have these mail error logs : - dovecot: imap-login: Fatal: Can't load private ssl_key: Key is for a different cert than ssl_cert - dovecot: master: Error: service(imap-login): command startup failed, throttling for 60 secs   I did no customization to default config, I'm wondering how to solve it ? This is the beginning of dovecot.conf : listen = *,[::]protocols = imap pop3auth_mechanisms = plain logindisable_plaintext_auth = nolog_timestamp = "%Y-%m-%d %H:%M:%S "mail_privileged_group = vmailssl_cert = </etc/postfix/smtpd.certssl_key = </etc/postfix/smtpd.keyssl_protocols = !SSLv2 !SSLv3 Any help to put my on the right track would be really appreciated. Thank you. Best regards

From: Rand at: 2017-02-13 03:07:32

perl: warning: Setting locale failed. perl: warning: Please check that your locale settings: LANGUAGE = (unset), LC_ALL = (unset), LANG = "en_US.UTF-8" are supported and installed on your system. perl: warning: Falling back to the standard locale ("C").

I got this error, and resolved it with the following command. 

% env LANG=C perl -e exit %

From: Kuanysh at: 2017-02-23 04:57:09

Installed ISPConfig with this tutorial. But getting error 403 on websites.

From: Nicholas at: 2017-02-25 02:55:16

Hi, i have a issue with debian 8

root@titania:~# quotacheck -avugm

quotacheck: Cannot stat() mounted device /dev/root: No such file or directory

quotacheck: Cannot find filesystem to check or filesystem not mounted with quota option.

in fstab i don't have "/dev/root" but "/dev/sda2" how fix this error? Thanks!