There is a new version of this tutorial available for Ubuntu 20.04 (Focal Fossa).

The Perfect Server - Ubuntu 15.10 (Wily Werewolf) with Apache, PHP, MySQL, PureFTPD, BIND, Postfix, Dovecot and ISPConfig 3

This tutorial shows the installation of an Ubuntu 15.10 (Wily Werewolf) web hosting server with Apache2, Postfix, Dovecot, Bind and PureFTPD to prepare it for the installation of ISPConfig 3. The resulting system will provide a Web, Mail, Mailinglist, DNS and FTP Server.

ISPConfig 3 is a web hosting control panel that allows you to configure the following services through a web browser: Apache or nginx web server, Postfix mail server, Courier or Dovecot IMAP/POP3 server, MySQL, BIND or MyDNS nameserver, PureFTPd, SpamAssassin, ClamAV, and many more. This setup covers the installation of Apache (instead of Nginx), BIND (instead of MyDNS), and Dovecot (instead of Courier).

1. Preliminary Note

In this tutorial I use the hostname with the IP address and the gateway . These settings might differ for you, so you have to replace them where appropriate.  Before proceeding further you need to have a basic minimal installation of Ubuntu 15.10 as explained in tutorial.

2. Edit /etc/apt/sources.list And Update Your Linux Installation

Edit /etc/apt/sources.list. Comment out or remove the installation CD from the file and make sure that the universe and multiverse repositories are enabled. It should look like this afterwards:

nano /etc/apt/sources.list

# deb cdrom:[Ubuntu-Server 15.10 _Wily Werewolf_ - Release amd64 (20151021)]/ wily main restricted

#deb cdrom:[Ubuntu-Server 15.10 _Wily Werewolf_ - Release amd64 (20151021)]/ wily main restricted

# See for how to upgrade to
# newer versions of the distribution.
deb wily main restricted
deb-src wily main restricted

## Major bug fix updates produced after the final release of the
## distribution.
deb wily-updates main restricted
deb-src wily-updates main restricted

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
deb wily universe
deb-src wily universe
deb wily-updates universe
deb-src wily-updates universe

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb wily multiverse
deb-src wily multiverse
deb wily-updates multiverse
deb-src wily-updates multiverse

## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb wily-backports main restricted universe multiverse
deb-src wily-backports main restricted universe multiverse

deb wily-security main restricted
deb-src wily-security main restricted
deb wily-security universe
deb-src wily-security universe
deb wily-security multiverse
deb-src wily-security multiverse

## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
# deb wily partner
# deb-src wily partner

Then run

apt-get update

to update the apt package database and

apt-get upgrade

to install the latest updates (if there are any). If you see that a new kernel gets installed as part of the updates, you should reboot the system afterwards:



3. Change The Default Shell

/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore we do this:

dpkg-reconfigure dash

Use dash as the default system shell (/bin/sh)? <-- No

If you don't do this, the ISPConfig installation will fail.


4. Disable AppArmor

AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).

We can disable it like this:

service apparmor stop 
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils


5. Synchronize the System Clock

It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the Internet when you run a physical server. In case you run a virtual server then you should skip this step. Just run

apt-get install ntp ntpdate

and your system time will always be in sync.


6. Install Postfix, Dovecot, MariaDB, phpMyAdmin, rkhunter, binutils

For installing postfix, we need to ensure that sendmail is not installed and running. To stop and remove sendmail run this command:

service sendmail stop; update-rc.d -f sendmail remove

The error message:

Failed to stop sendmail.service: Unit sendmail.service not loaded.

Is ok, it just means that sendmail was not installed, so there was nothing to be removed.

Now we can install Postfix, Dovecot, MariaDB (as MySQL replacement), rkhunter, and binutils with a single command:

apt-get install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo

You will be asked the following questions:

General type of mail configuration: <-- Internet Site
System mail name: <--

It is important that you use a subdomain as "system mail name" like or and not a domain that you want to use as email domain (e.g. yourdomain.tld) later.

Next open the TLS/SSL and submission ports in Postfix:

nano /etc/postfix/

Uncomment the submission and smtps sections as follows - add the line -o smtpd_client_restrictions=permit_sasl_authenticated,reject to both sections and leave everything thereafter commented:

submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

NOTE: The whitespaces in front of the "-o .... " lines are important!

Restart Postfix afterward:

service postfix restart

We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address =

nano /etc/mysql/mariadb.conf.d/mysqld.cnf
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           =

Now we set a root password in MariaDB. Run:


You will be asked these questions:

Enter current password for root (enter for none): <-- press enter
Set root password? [Y/n] <-- y
New password: <-- Enter the new MariaDB root password here
Re-enter new password: <-- Repeat the password
Remove anonymous users? [Y/n] <-- y
Disallow root login remotely? [Y/n] <-- y
Reload privilege tables now? [Y/n] <-- y

Then we restart MariaDB:

service mysql restart

Now check that networking is enabled. Run

netstat -tap | grep mysql

The output should look like this:

[email protected]:~# netstat -tap | grep mysql
tcp        0      0 *:mysql                 *:*                     LISTEN      24603/mysqld    
[email protected]:~# 

7. Install Amavisd-new, SpamAssassin, And Clamav

To install amavisd-new, SpamAssassin, and ClamAV, we run

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl

The ISPConfig 3 setup uses amavisd which loads the SpamAssassin filter library internally, so we can stop SpamAssassin to free up some RAM:

service spamassassin stop 
update-rc.d -f spamassassin remove

Edit the clamd configuration file:

nano /etc/clamav/clamd.conf

and change the line:

AllowSupplementaryGroups false


AllowSupplementaryGroups true 

And save the file. To start clamav use

service clamav-daemon start


Share this page:

Suggested articles

44 Comment(s)

Add comment


By: Saeid


Like always, your guides are clean and straight.

However, Ther are people like me who still are intersted for "Squirrelmail" rather than "RoundCup".

May I kindly ask you to include "Squirrelmail" general setup and tips for ISPConfig 3 on this version as well so we have option to choose whatever is require.


Many thanks,

By: uteliux

RoundCub not working after instalation... :( buttons are not active

By: Nelo X

RoundCub not working after instalation , buttons do nothing :\

By: fred

Hi, Thank you for this tuto. Very clear and usefull!!

Why not complete with the mail part (SPF, domain check ...)


By: Bill Keenan

Step 6, "netstat -tap | grep mysql", shows an entry for tcp6; however, there is not entry for 'tcp'. Clean install as a VM on vSphere 5.5u2. Has something changed in 15.10 as regards starting MySQL?



eno16777984 Link encap:Ethernet  HWaddr 00:50:56:81:7d:dd  

          inet addr:  Bcast:  Mask:

          inet6 addr: fe80::250:56ff:fe81:7ddd/64 Scope:Link


          RX packets:1697 errors:0 dropped:214 overruns:0 frame:0

          TX packets:549 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000 


          RX bytes:1402618 (1.4 MB)  TX bytes:73865 (73.8 KB)



Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp        0      0 *:pop3                  *:*                     LISTEN      672/dovecot     

tcp        0      0 *:imap2                 *:*                     LISTEN      1/init          

tcp        0      0 *:urd                   *:*                     LISTEN      1139/master     

tcp        0      0 *:ssh                   *:*                     LISTEN      712/sshd        

tcp        0      0 *:smtp                  *:*                     LISTEN      1139/master     

tcp        0      0 *:submission            *:*                     LISTEN      1139/master     

tcp        0    200 mail.home.wjkeenan.:ssh         ESTABLISHED 1267/sshd: wjk [pri

tcp6       0      0 [::]:pop3               [::]:*                  LISTEN      672/dovecot     

tcp6       0      0 [::]:imap2              [::]:*                  LISTEN      1/init          

tcp6       0      0 [::]:urd                [::]:*                  LISTEN      1139/master     

tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      712/sshd        

tcp6       0      0 [::]:smtp               [::]:*                  LISTEN      1139/master     

tcp6       0      0 [::]:mysql              [::]:*                  LISTEN      935/mysqld      


tcp6       0      0 [::]:submission         [::]:*                  LISTEN      1139/master     


By: till

That's ok, it listens on ipv4 and ipv6 when tcp6 is shown in netstat. Just be aware that it is listenin on localhost only at the moment as [::] is localhost.

By: Bill Keenan

I need to understand the certificate configuration created by following this article. This meant Indded to do some searching and reading. I came across, which is a resource I am finding helpful. Specifically, the draft of Applied Crypto Hardening. This guide offers some concrete configuration recommendations for Postfix and Dovecot.

By: Bill Keenan

As I work on locking down my perfect server with my own certificate, I'm doing some verification. In my case, I created a new VM from 15.10, and followed the steps in this article (including 8.2, but not 8.3). Depending on where you started, you may see something different.


I should appeciate a reply by someone who knows the best practice for the owner, group, and mod of /var/lib/apache2/fastcgi. Of course, perhaps configtest is being too liberal, and we don't want httpd to have write access.


apachectl configtest

AH00526: Syntax error on line 4 of /etc/apache2/mods-enabled/fastcgi.conf:

FastCgiIpcDir /var/lib/apache2/fastcgi: access for server (uid 1000, gid 1000) failed: write not allowed

Action 'configtest' failed.


The Apache error log may have more information.



cat /etc/apache2/mods-enabled/fastcgi.conf

<IfModule mod_fastcgi.c>

  AddHandler fastcgi-script .fcgi

  #FastCgiWrapper /usr/lib/apache2/suexec

  FastCgiIpcDir /var/lib/apache2/fastcgi





ll /var/lib/apache2

total 28

drwxr-xr-x  7 root     root     4096 Nov 24 10:26 ./

drwxr-xr-x 62 root     root     4096 Nov 24 10:55 ../

drwxr-xr-x  3 root     root     4096 Nov 24 10:20 conf/

drwxr-xr-x  3 www-data www-data 4096 Nov 24 10:27 fastcgi/

drwxr-xr-x  3 www-data www-data 4096 Nov 30 06:31 fcgid/

drwxr-xr-x  5 root     root     4096 Nov 24 10:23 module/


drwxr-xr-x  3 root     root     4096 Nov 24 10:20 site/


By: Marcelo Saldanha

Great detailed article. Shed some lights on a few problems I was having with ubuntu 15.10. The deprecated suphp being the worst of them.

I am interested in this OVA/OVF appliance you mentioned, but could not find any download link for it. Is it still available?

By: till

The download is still available, scroll up the page and take a look at the menu on the right side, there is a big red download icon with the download link below.

By: Rich F

This is a nice, complete tutorial on getting a web server up and running.  However, I wish you had explained more about what you're doing and why.  So instead of just saying 'do this', say 'do is what it does and why'.  While my server is up and running and will server my home page, I have not been able to get anything else to work.  I can't log into phpMyAdmin using root...from my research it looks like it's because the root user in MySQL is "IDENTIFIED VIA unix_socket", but I've not found a way to make it work...I've tried using socat and netcat to redirect a different port through the MySQL socket with no success.  I created an FTP user following other examples on the web but can't log in from a remote PC.  I'm assuming there's some security mechanism in place, but where?    It looks like MySQL and Pure-Ftp are somehow connected, but how (I say this because of the 'service pure-ftp-mysql restart' command).  Perhaps you can publish a followup turtorial on how to actually use the server and it's many pieces once it's set up and running.

I've considered starting over and creating my web server using Xampp and adding in Pure-FTP.  I've had a Xampp server running for over 3 years and despite all the 'security risk' warnings I've only had one instance when someone disabled my server.  Fortunately I do daily backups and was up and running again rather quickly.


By: till

I guess you haven't followed the guide till the end and therefor did not Install ISPConfig, ISPConfig is the control panel for this setup. Adding a FTP user is plain easy, just login to ISPConfig, click on new FTP user, enter the username and password and then click on save, That's all.


Regarding a follow-up tutorial that explains how the setup is used in detail, this tutorial exists and we refer you twice to that guide above, its is named "The ISPConfig manual" and you can get it here: It describes on more than 370 pages in detail incl. screenshots how to use any aspect of the above hosting setup.



By: Rich F

Thanks for the reply till.  Yes, I did install ISPConfig.  It looks like I'll have to break down and spend money on the manual...I was hoping to avoid that.

By: Jacbey

Sorry, but this is silly, amavisd-new will not start at all.  I have this problem on a production server so I decided to try making a contained, new, virtual machine and it still won't start.  Have you any clue why?

By: till

The most likely reason for a non-starting amavisd is a wrong hostname. Check that:


hostname -f


returns a fully qualified domain name like If it returns a non-valid or incomplete hostname, then amavisd will not start.

By: simdeveloper

I just thought i would mention in som cases it is instead of where you put $rcmail_config['default_host'] = 'localhost';

By: Kyle

The password for the download esxi password for the ISPconfig site doesn't work. Could you update this?

By: till

The password works fine for me. ISPCondfig login is username: admin and password: admin and the other passwords are all "howtoforge", and there is a linux shell user with username "administrator" and password"howtoforge" as well as the root SSH Login is forbidden by default in Debian, so you login as administrator first and then su to root.

By: Arnaud


j'ai téléchargé l'image pour vmware et je souhaite changer la taille du disque j'ai cherché plusieurs tutos mais je n'ai pas compris comment faire entre le disque physique et le lvm

merci de votre aide

By: Arnaud


I am using the vmware image and I try to add ZendGuardLoader but i can't get it work.

Could you please help me for that ?

By: till

This setup is a standard Ubuntu setup that uses the Ubuntu Default packages for all PHP related things. Ask the Zend support for installation instructions of their software for Ubuntu 15.10.

By: Arnaud


I am trying to install ZendGuarLoader but it's not working. In fact when i try with a terminal session it seems to work correctly because a php - m and v let me see the module as activated.

But when i try with apache it's not working and this is the way i need it to work. I had read a lot of stuff about this extension but i can't get it work with apache.

Thanks in advance for any aswer or suggestion

By: till

Ubuntu has several php.ini files, you have t ensure that you install ZendGauard Loader in all of them:


Commandline PHP: /etc/php5/cli/php.iniApache MOD-PHP: /etc/php5/apache2/php.iniApache PHP-FCGI and CGI: /etc/php5/cgi/php.iniApache PHP-FPM: /etc/php5/fpm/php.ini

Then restart php-fpm and apache. In case that you used the custom php.ini field for a website in ispconfig, then run Tools > Resync on the websites after you changed the php.ini's above to apply your changes.

By: foxsys

After the installation has been a mistake.

Job for amavis.service failed because the control process exited with error code. See "systemctl status amavis.service" and "journalctl -xe" for details.

systemctl status amavis.serviceâ amavis.service - LSB: Starts amavisd-new mailfilter   Loaded: loaded (/etc/init.d/amavis)   Active: failed (Result: exit-code) since mié 2016-01-06 23:19:29 CET; 24s ago     Docs: man:systemd-sysv-generator(8)  Process: 1909 ExecStart=/etc/init.d/amavis start (code=exited, status=1/FAILURE)

ene 06 23:19:29 factorypc amavis[1909]: Starting amavisd:   The value of variable $myhostname is "factorypc", but should have beenene 06 23:19:29 factorypc amavis[1909]: a fully qualified domain name; perhaps uname(3) did not provide such.ene 06 23:19:29 factorypc amavis[1909]: You must explicitly assign a FQDN of this host to variable $myhostnameene 06 23:19:29 factorypc amavis[1909]: in /etc/amavis/conf.d/05-node_id, or fix what uname(3) provides as a host'sene 06 23:19:29 factorypc amavis[1909]: network name!ene 06 23:19:29 factorypc amavis[1909]: (failed).ene 06 23:19:29 factorypc systemd[1]: amavis.service: Control process exited, code=exited status=1ene 06 23:19:29 factorypc systemd[1]: Failed to start LSB: Starts amavisd-new mailfilter.ene 06 23:19:29 factorypc systemd[1]: amavis.service: Unit entered failed state.ene 06 23:19:29 factorypc systemd[1]: amavis.service: Failed with result 'exit-code'.

I followed your tutorial step by step.

By: till

The reason for your error is that you have used a wrong hostname for your server. The tutorial instructs you to set a fully qualified domain nam as hostname (e.g. but you set "factorypc" as hostname which is not a fully qualified domain name and therefor amavis could not start. Set a correct hostname in /etc/hostname, /etc/mailname and /etc/hosts and then restart the server to fix this issue.

By: James


By: Foxsys

I have your own domain, installing ispconfig would it?

By: peter


and change the default host to localhost:

$rcmail_config['default_host'] = 'localhost';

$rcmail_conf must be $config

Adn i can't send email from Roundcube. When i click on the Send button, nothing happens.

By: till

Please post in the forum here at howtoforge to get help with your configuration issue.

By: Sander

Hey, thanks a lot for the great guide. its easy to follow and (almost) everything works...the command to create the ssl key for ftp isnt working... and when its all done everythings runs nice except for the ftp, ISPconfig says that the service is offline. Though i can login to (only) SFTP but i need to login with the user created in ubuntu server itself.


Probably ive done something wrong somewhere... please help... i cant wait to put this to good use...


also, you say there is a download for the VM but i cant fiend the link?...

By: till

The command to create a ssl cert should be ok, I just tested it. Please delete the ssl cert and rerun the openssl command to create a new cert. OpenSSL can be a bit picky, when you enter details that openssl dont understands, then it may fail silently.


> also, you say there is a download for the VM but i cant fiend the link?...

See right menu, "vmware image download"

By: Scott Jones

Great tutorial! However I cannot get the SMTP to work on my server at all. I am renting a dedicated server and I just cannot get it to work. 

By: till

Community support for ISPConfig is available in the forum here at howtoforge. Please post there to get help with your smtp problem.

By: Swedac

Have tried using mariadb. I fee the old msql is still better as it is more compatible with various applications.

By: Zaika

Hello, I don't see any virtual machine disk image mentioned at 18.2.

By: till

See menu on the right side at the top of the article.

By: Alex


roundcube isn't working correctly. I can't send and recieve mails.

Maybe it is because I insert an wrong server mail name through the installation: 6. instead of 

How can I change this again.


Best regards,


By: Michael B

Thank you for an almost a flawless installation manual but in Step 16, in the final '<Enter>' I got the following error:


Installing ISPConfig crontab

no crontab for root

no crontab for getmail

Restarting services ...

Job for amavis.service failed because the control process exited with error code. See "systemctl status amavis.service" and "journalctl -xe" for details.


Installation completed.

By: till

The most likely reason for a failed amavis start is a wrong hostname, take a look into the /var/log/mail.log file. If you need help, please post in the forum.

By: Sujan Swearingen

This looks as though it could work.  It is really hard to say because after installing 15.10 and rebooting, the screen is full of continous loops that complain about the AMD-Vi.  Passing "iommu=pt" used to work on the 15.04 kernel but this is clearly not the case on the 15.10 kernel.  Something has changed and it certainly has not been for the better.

By: Kimusz

Because I still learn Ubuntu, Apache, PHP and so, I've installed several or much more servers like that :). Servers work and there are no special problems but one - I can't log in to phpmyadmin as root. Actually, once or twice I can do it, but I have no idea why. But most of all - I can't do it. What is the problem?

By: Bob Hall

Hi There;

I loved the tutorial and the VM that you can download and just run with - thank you for this. I've run into a problem with the vm, I am hoping you folks can help me - the mysql DB stopped running yesterday for no reason - it's been up and running since deployment with no issues. When I manually restart it, I get an error that it failed to start. In phpmyadmin I get a message that the configuration for the contrluser failed - in the log files, I get what appears to be file permission issues on the mysql dr. however, I've confirmed that the mysql user and group are owners of all files -

Looking forward to suggestions!

By: till

Please make a post in the forum here at howtoforge where you post the exact error messages that you get in the syslog.

By: Alberto Camargo

Very good tutorial. Just some screen disarrangements,