The Perfect Debian Server

19/11/2015
ThePerfectServerDebian8Jessie(Apache2,BIND,Dovecot,ISPConfig3)
ThePerfectServerDebian8Jessie
(Apache2,BIND,Dovecot,ISPConfig3)
ThistutorialshowshowtoprepareaDebianJessieserver(withApache2,BIND,Dovecot)fortheinstallationof
ISPConfig3[1],andhowtoinstallISPConfig3.ThewebhostingcontrolpanelISPConfig3allowsyouto
configurethefollowingservicesthroughawebbrowser:Apacheornginxwebserver,Postfixmailserver,
CourierorDovecotIMAP/POP3server,MySQL,BINDorMyDNSnameserver,PureFTPd,SpamAssassin,
ClamAV,andmanymore.ThissetupcoversApache(insteadofnginx),BIND(insteadofMyDNS),andDovecot
(insteadofCourier).
1PreliminaryNote
InthistutorialIwillusethehostnameserver1.example.comwiththeIPaddress192.168.1.100andthegateway
192.168.1.1.Thesesettingsmightdifferforyou,soyouhavetoreplacethemwhereappropriate.Before
proceedingfurtheryouneedtohaveaminimalinstallationofDebian8.ThismightbeaDebianminimalimage
fromyourHostingprovideroryouusetheMinimalDebianServer[2]Tutorialtosetupthebasesystem.
2InstalltheSSHserver(Optional)
IfyoudidnotinstalltheOpenSSHserverduringthesysteminstallation,youcandoitnow:
aptgetinstallsshopensshserver
FromnowonyoucanuseanSSHclientsuchasPuTTY[3]andconnectfromyourworkstationtoyourDebian
Jessieserverandfollowtheremainingstepsfromthistutorial.
3Installashelltexteditor(Optional)
Wewillusenanotexteditorinthistutorial.Someuseresprefertheclassicvieditor,thereforwewillinstallboth
editorshere.ThedefaultprogramhassomestrangebehaviouronDebianandUbuntutofixthis,weinstallvim
nox:
aptgetinstallnanovimnox
Ifviisyourfavoriteeditor,thenreplacenanowithviinthefollowingcommandstoeditfiles.
4ConfiguretheHostname
chromeextension://iooicodkiihhpojmmeghjclgihfjdjhj/front/in_isolation/reformat.html
1/23
19/11/2015
Thehostnameofyourservershouldbeasubdomainlike"server1.example.com".Donotuseadomainname
withoutsubdomainpartlike"example.com"ashostnameasthiswillcauseproblemslaterwithyourmailsetup.
Firstyoushouldcheckthehostnamein/etc/hostsandchangeitwhennescessary.Thelineshouldbe:"IP
Addressspacefullhostnameincl.domainspacesubdomainpart".Forourhostname
server1.example.com,thefileshalllooklikethis:
nano/etc/hosts
127.0.0.1
localhost.localdomain
localhost
192.168.1.100
server1.example.com
server1
# The following lines are desirable for IPv6 capable hosts

::1
localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Theneditthe/etc/hostnamefile:
nano/etc/hostname
Itshallcontainonlythesubdomainpart,inourcase:
server1
Finallyreboottheservertoapplythechange:
reboot
Loginagainandcheckifthehostnameiscorrectnowwiththesecommands:
hostname
hostnamef
Theoutputshallbelikethis:
root@server1:/tmp#hostname
server1
root@server1:/tmp#hostnamef
server1.example.com
5UpdateYourDebianInstallation
Firstmakesurethatyour/etc/apt/sources.listcontainsthejessie/updatesrepository(thismakessureyoualways
getthenewestsecurityupdates),andthatthecontribandnonfreerepositoriesareenabled(somepackages
suchaslibapache2modfastcgiarenotinthemainrepository).
nano/etc/apt/sources.list
#deb cdrom:[Debian GNU/Linux 8.0.0 _Jessie_ - Official amd64 NETINST Binary-1 20150425-12:50]/ jessie main
deb http://ftp.us.debian.org/debian/ jessie main contrib non-free
deb-src http://ftp.us.debian.org/debian/ jessie main contrib non-free
2/23
19/11/2015
deb http://security.debian.org/ jessie/updates main contrib non-free

deb-src http://security.debian.org/ jessie/updates main contrib non-free
aptgetupdate
Toupdatetheaptpackagedatabase
aptgetupgrade
andtoinstallthelatestupdates(ifthereareany).
6ChangeTheDefaultShell
/bin/shisasymlinkto/bin/dash,howeverweneed/bin/bash,not/bin/dash.Thereforewedothis:
dpkgreconfiguredash
Usedashasthedefaultsystemshell(/bin/sh)?<no
Ifyoudon'tdothis,theISPConfiginstallationwillfail.
7SynchronizetheSystemClock
ItisagoodideatosynchronizethesystemclockwithanNTP(networktimeprotocol)serverovertheInternet.
Simplyrun
aptgetinstallntpntpdate
andyoursystemtimewillalwaysbeinsync.
8InstallPostfix,Dovecot,MySQL,phpMyAdmin,rkhunter,
binutils
WecaninstallPostfix,Dovecot,MySQL,rkhunter,andbinutilswithasinglecommand:
aptgetinstallpostfixpostfixmysqlpostfixdocmariadbclientmariadbserveropensslgetmail4rkhunterbinutils
dovecotimapddovecotpop3ddovecotmysqldovecotsievedovecotlmtpdsudo
WhenyoupreferMySQLoverMariaDB,replacethepackages"mariadbclientmariadbserver"intheabove
commandwith"mysqlclientmysqlserver".
Youwillbeaskedthefollowingquestions:
Generaltypeofmailconfiguration:<InternetSite
Systemmailname:<server1.example.com
3/23
19/11/2015
NewpasswordfortheMariaDB"root"user:<yourrootsqlpassword
RepeatpasswordfortheMariaDB"root"user:<yourrootsqlpassword
NextopentheTLS/SSLandsubmissionportsinPostfix:
nano/etc/postfix/master.cf
Uncommentthesubmissionandsmtpssectionsasfollowsandaddlineswherenescessarysothatthissection
ofthemaster.cffilelooksexactlyliketheonebelow.
[...]
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
RestartPostfixafterwards:
servicepostfixrestart
WewantMariaDBtolistenonallinterfaces,notjustlocalhost,thereforeweedit/etc/mysql/my.cnfandcomment
outthelinebindaddress=127.0.0.1:
nano/etc/mysql/my.cnf
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address
= 127.0.0.1
[...]
ThenwerestartMySQL:
4/23
19/11/2015
servicemysqlrestart
Nowcheckthatnetworkingisenabled.Run
netstattap|grepmysql
Theoutputshouldlooklikethis:
root@server1:/tmp#netstattap|grepmysql
tcp600[::]:mysql[::]:*LISTEN27371/mysqld
9InstallAmavisdnew,SpamAssassinAndClamav
Toinstallamavisdnew,SpamAssassinandClamAV,werun
aptgetinstallamavisdnewspamassassinclamavclamavdaemonzoounzipbzip2arjnomarchlzopcabextract
aptlistchangeslibnetldapperllibauthensaslperlclamavdocsdaemonlibiostringperllibiosocketsslperl
libnetidentperlziplibnetdnsperl
EdittheClamdconfiguratonfile/etc/clamav/clamd.conf
nano/etc/clamav/clamd.conf
andchangethelineAllowSupplementaryGroupsfromfalsetotrue:
AllowSupplementaryGroups true
TheISPConfig3setupusesamavisdwhichloadstheSpamAssassinfilterlibraryinternally,sowecanstop
SpamAssassintofreeupsomeRAM:
servicespamassassinstop
systemctldisablespamassassin
Pgina[=pgina]
10InstallApache2,PHP5,phpMyAdmin,FCGI,suExec,Pear,
Andmcrypt
Apache2,PHP5,phpMyAdmin,FCGI,suExec,Pear,andmcryptcanbeinstalledasfollows:
aptgetinstallapache2apache2.2commonapache2docapache2mpmpreforkapache2utilslibexpat1sslcert
libapache2modphp5php5php5commonphp5gdphp5mysqlphp5imapphpmyadminphp5cliphp5cgi
libapache2modfcgidapache2suexecphppearphpauthphp5mcryptmcryptphp5imagickimagemagick
librubylibapache2modpythonphp5curlphp5intlphp5memcachephp5memcachedphp5pspellphp5recode
php5sqlitephp5tidyphp5xmlrpcphp5xslmemcachedlibapache2modpassenger
5/23
19/11/2015
Youwillseethefollowingquestions:
Webservertoreconfigureautomatically:<apache2
Configuredatabaseforphpmyadminwithdbconfigcommon?<yes
Enterthepasswordoftheadministrativeuser?<yourrootmysqlpassword
Enterthephpmyadminapplicationpassword?<Justpressenter
ThenrunthefollowingcommandtoenabletheApachemodulessuexec,rewrite,,actions,andinclude(plus,
dav_fs,andauth_digestifyouwanttouseWebDAV):
a2enmodsuexecrewritesslactionsincludedav_fsdavauth_digestcgi
andenablethemoduleybyrunning:
serviceapache2restart
11InstallSuPHP(optional,notrecommended)
SuPHPisnotavailableanymoreforDebianJessie.ThesuphpmodeshouldnotbeusedanymoreinISPConfig
astherearebetterPHPmodeslikephpfpmandphpfcgiavailable.Ifyoureallyneedsuphpforlegacyreasons,
thenfollowthestepsinthischaptertocompileitmanually:
aptgetinstallapache2devbuildessentialautoconfautomakelibtoolflexbisondebhelperbinutils
cd/usr/local/src
wgethttp://suphp.org/download/suphp0.7.2.tar.gz
tarzxvfsuphp0.7.2.tar.gz
wgetOsuphp.patch
https://lists.marsching.com/pipermail/suphp/attachments/20130520/74f3ac02/attachment.patch
patchNp1dsuphp0.7.2<suphp.patch
cdsuphp0.7.2
autoreconfif
./configureprefix=/usr/sysconfdir=/etc/suphp/withapr=/usr/bin/apr1configwithapacheuser=wwwdata
withsetidmode=ownerwithlogfile=/var/log/suphp/suphp.log
make
makeinstall
Createthesuphpconfigurationdirectoryandsuphp.conffile:
mkdir/var/log/suphp
mkdir/etc/suphp
nano/etc/suphp/suphp.conf
[global]
;Path to logfile
logfile=/var/log/suphp/suphp.log
;Loglevel
loglevel=info
6/23
19/11/2015
;User Apache is running as

webserver_user=www-data
;Path all scripts have to be in
docroot=/var/www
;Path to chroot() to before executing script
;chroot=/mychroot
; Security options
allow_file_group_writeable=false
allow_file_others_writeable=false
allow_directory_group_writeable=false
allow_directory_others_writeable=false
;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=true
;Send minor error messages to browser
errors_to_browser=false
;PATH environment variable
env_path=/bin:/usr/bin
;Umask to set, specify in octal notation
umask=0022
; Minimum UID
min_uid=100
; Minimum GID
min_gid=100
[handlers]
;Handler for php-scripts
x-httpd-suphp="php:/usr/bin/php-cgi"
;Handler for CGI-scripts
x-suphp-cgi=execute:!self
umask=0022
Nextwewilladdaconfigfiletoloadthesuphpmoduleinapache:
echo"LoadModulesuphp_module/usr/lib/apache2/modules/mod_suphp.so">/etc/apache2/mods
available/suphp.load
Andthenopen/etc/apache2/modsavailable/suphp.conf...
nano/etc/apache2/modsavailable/suphp.conf
...andaddthefollowingcontent:
7/23
19/11/2015
<IfModule mod_suphp.c>
AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
suPHP_AddHandler application/x-httpd-suphp
<Directory />
suPHP_Engine on
</Directory>
# By default, disable suPHP for debian packaged web applications as files
# are owned by root and cannot be executed by suPHP because of min_uid.
<Directory /usr/share>
suPHP_Engine off
</Directory>
# # Use a specific php config file (a dir which contains a php.ini file)
#
suPHP_ConfigPath /etc/php5/cgi/suphp/
# # Tells mod_suphp NOT to handle requests with the type <mime-type>.

#
suPHP_RemoveHandler <mime-type>
</IfModule>
Enablethesuphpmoduleinapache:
a2enmodsuphp
RestartApacheafterwards:
12XCacheandPHPFPM
XCacheisafreeandopenPHPopcodecacherforcachingandoptimizingPHPintermediatecode.It'ssimilarto
otherPHPopcodecachers,suchaseAcceleratorandAPC.Itisstronglyrecommendedtohaveoneofthese
installedtospeedupyourPHPpage.
XCachecanbeinstalledasfollows:
aptgetinstallphp5xcache
NowrestartApache:
12.2PHPFPM
StartingwithISPConfig3.0.5,thereisanadditionalPHPmodethatyoucanselectforusagewithApache:PHP
FPM.
TousePHPFPMwithApache,weneedthemod_fastcgiApachemodule(pleasedon'tmixthisupwith
mod_fcgidtheyareverysimilar,butyoucannotusePHPFPMwithmod_fcgid).WecaninstallPHPFPMand
mod_fastcgiasfollows:
8/23
19/11/2015
aptgetinstalllibapache2modfastcgiphp5fpm
MakesureyouenablethemoduleandrestartApache:
a2enmodactionsfastcgialias
13InstallMailman
ISPConfigallowsyoutomanage(create/modify/delete)Mailmanmailinglists.Ifyouwanttomakeuseofthis
feature,installMailmanasfollows:
aptgetinstallmailman
Selectatleastonelanguage,e.g.:
Languagestosupport:<en(English)
Missingsitelist<Ok
BeforewecanstartMailman,afirstmailinglistcalledmailmanmustbecreated:
newlistmailman
root@server1:~#newlistmailman
Entertheemailofthepersonrunningthelist:<adminemailaddress,e.g.[emailprotected][4]
Initialmailmanpassword:<adminpasswordforthemailmanlist
Tofinishcreatingyourmailinglist,youmustedityour/etc/aliases(or
equivalent)filebyaddingthefollowinglines,andpossiblyrunningthe
`newaliases'program:
##mailmanmailinglist
mailman:"|/var/lib/mailman/mail/mailmanpostmailman"
mailmanadmin:"|/var/lib/mailman/mail/mailmanadminmailman"
mailmanbounces:"|/var/lib/mailman/mail/mailmanbouncesmailman"
mailmanconfirm:"|/var/lib/mailman/mail/mailmanconfirmmailman"
mailmanjoin:"|/var/lib/mailman/mail/mailmanjoinmailman"
mailmanleave:"|/var/lib/mailman/mail/mailmanleavemailman"
mailmanowner:"|/var/lib/mailman/mail/mailmanownermailman"
mailmanrequest:"|/var/lib/mailman/mail/mailmanrequestmailman"
mailmansubscribe:"|/var/lib/mailman/mail/mailmansubscribemailman"
mailmanunsubscribe:"|/var/lib/mailman/mail/mailmanunsubscribemailman"
Hitentertonotifymailmanowner...<ENTER
root@server1:~#
Open/etc/aliasesafterwards...
vi/etc/aliases
9/23
19/11/2015
...andaddthefollowinglines:
[...]
## mailman mailing list
mailman:
"|/var/lib/mailman/mail/mailman post mailman"
mailman-admin:
"|/var/lib/mailman/mail/mailman admin mailman"
mailman-bounces:
"|/var/lib/mailman/mail/mailman bounces mailman"
mailman-confirm:
"|/var/lib/mailman/mail/mailman confirm mailman"
mailman-join:
"|/var/lib/mailman/mail/mailman join mailman"
mailman-leave:
"|/var/lib/mailman/mail/mailman leave mailman"
mailman-owner:
"|/var/lib/mailman/mail/mailman owner mailman"
mailman-request:
"|/var/lib/mailman/mail/mailman request mailman"
mailman-subscribe:
"|/var/lib/mailman/mail/mailman subscribe mailman"
mailman-unsubscribe: "|/var/lib/mailman/mail/mailman unsubscribe mailman"
newaliases
afterwardsandrestartPostfix:
servicepostfixrestart
FinallywemustenabletheMailmanApacheconfiguration:
lns/etc/mailman/apache.conf/etc/apache2/confenabled/mailman.conf
Thisdefinesthealias/cgibin/mailman/forallApachevhosts,whichmeansyoucanaccesstheMailmanadmin
interfaceforalistathttp://server1.example.com/cgibin/mailman/admin/,andthewebpageforusersofamailing
listcanbefoundathttp://server1.example.com/cgibin/mailman/listinfo/.
Underhttp://server1.example.com/pipermailyoucanfindthemailinglistarchives.
RestartApacheafterwards:
ThenstarttheMailmandaemon:
servicemailmanstart
14InstallPureFTPdAndQuota
PureFTPdandquotacanbeinstalledwiththefollowingcommand:
aptgetinstallpureftpdcommonpureftpdmysqlquotaquotatool
Editthefile/etc/default/pureftpdcommon...
nano/etc/default/pureftpdcommon
...andmakesurethatthestartmodeissettostandaloneandsetVIRTUALCHROOT=true:
10/23
19/11/2015
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
NowweconfigurePureFTPdtoallowFTPandTLSsessions.FTPisaveryinsecureprotocolbecauseall
passwordsandalldataaretransferredincleartext.ByusingTLS,thewholecommunicationcanbeencrypted,
thusmakingFTPmuchmoresecure.
IfyouwanttoallowFTPandTLSsessions,run
echo1>/etc/pureftpd/conf/TLS
InordertouseTLS,wemustcreateanSSLcertificate.Icreateitin/etc/ssl/private/,thereforeIcreatethat
directoryfirst:
mkdirp/etc/ssl/private/
Afterwards,wecangeneratetheSSLcertificateasfollows:
opensslreqx509nodesdays7300newkeyrsa:2048keyout/etc/ssl/private/pureftpd.pemout
/etc/ssl/private/pureftpd.pem
CountryName(2lettercode)[AU]:<EnteryourCountryName(e.g.,"DE").
StateorProvinceName(fullname)[SomeState]:<EnteryourStateorProvinceName.
LocalityName(eg,city)[]:<EnteryourCity.
OrganizationName(eg,company)[InternetWidgitsPtyLtd]:<EnteryourOrganizationName(e.g.,thename
ofyourcompany).
OrganizationalUnitName(eg,section)[]:<EnteryourOrganizationalUnitName(e.g."ITDepartment").
CommonName(eg,YOURname)[]:<EntertheFullyQualifiedDomainNameofthesystem(e.g.
"server1.example.com").
EmailAddress[]:<EnteryourEmailAddress.
ChangethepermissionsoftheSSLcertificate:
chmod600/etc/ssl/private/pureftpd.pem
ThenrestartPureFTPd:
servicepureftpdmysqlrestart
Edit/etc/fstab.Minelookslikethis(Iadded,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0tothe
partitionwiththemountpoint):
nano/etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
11/23
19/11/2015
# <file system> <mount point> <type> <options> <dump> <pass>

# / was on /dev/sda1 during installation
UUID=3dc3b58d-97e5-497b-8254-a913fdfc5408 / ext4 errors=remount-ro,usrjquota=quota.user,grpjquota=quota.gro

# swap was on /dev/sda5 during installation
UUID=36bf486e-8f76-492d-89af-5a8eb3ce8a02 none swap sw 0 0
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
Toenablequota,runthesecommands:
mountoremount/
quotacheckavugm
quotaonavug
15InstallBINDDNSServer
BINDcanbeinstalledasfollows:
aptgetinstallbind9dnsutils
16InstallVlogger,Webalizer,AndAWStats
Vlogger,Webalizer,andAWStatscanbeinstalledasfollows:
aptgetinstallvloggerwebalizerawstatsgeoipdatabaselibclassdbimysqlperl
Open/etc/cron.d/awstatsafterwards...
nano/etc/cron.d/awstats
...andcommentouteverythinginthatfile:
#MAILTO=root
#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh
# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstati
17InstallJailkit
JailkitisneededonlyifyouwanttochrootSSHusers.Itcanbeinstalledasfollows(important:Jailkitmustbe
installedbeforeISPConfigitcannotbeinstalledafterwards!):
aptgetinstallbuildessentialautoconfautomakelibtoolflexbisondebhelperbinutils
cd/tmp
12/23
19/11/2015
wgethttp://olivier.sessink.nl/jailkit/jailkit2.17.tar.gz
tarxvfzjailkit2.17.tar.gz
cdjailkit2.17
./debian/rulesbinary
YoucannowinstalltheJailkitpackageasfollows:
cd..
dpkgijailkit_2.171_*.deb
rmrfjailkit2.17*
18Installfail2ban
Thisisoptionalbutrecommended,becausetheISPConfigmonitortriestoshowthelog:
aptgetinstallfail2ban
Tomakefail2banmonitorPureFTPdandDovecot,createthefile/etc/fail2ban/jail.local:
nano/etc/fail2ban/jail.local
[pureftpd]
enabled = true
port
= ftp
filter
= pureftpd
logpath = /var/log/syslog
maxretry = 3
[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5
[postfix-sasl]
enabled = true
port
= smtp
filter
= postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
Thencreatethefollowingtwofilterfiles:
nano/etc/fail2ban/filter.d/pureftpd.conf
[Definition]
failregex = .*pure-ftpd: $.*@<HOST>$ \[WARNING\] Authentication failed for user.*
ignoreregex =
nano/etc/fail2ban/filter.d/dovecotpop3imap.conf
13/23
19/11/2015
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted log

ignoreregex =
Then,toaddtheignoreregexlineinthepostfixsaslfilterfile,run:
echo"ignoreregex=">>/etc/fail2ban/filter.d/postfixsasl.conf
Restartfail2banafterwards:
servicefail2banrestart
Pgina[=pgina]
19Installsquirrelmail
ToinstalltheSquirrelMailwebmailclient,run
aptgetinstallsquirrelmail
ThenconfigureSquirrelMail:
squirrelmailconfigure
WemusttellSquirrelMailthatweareusingDovecotIMAP/POP3:
SquirrelMailConfiguration:Read:config.php(1.4.0)
MainMenu
1.OrganizationPreferences
2.ServerSettings
3.FolderDefaults
4.GeneralOptions
5.Themes
6.AddressBooks
7.MessageoftheDay(MOTD)
8.Plugins
9.Database
10.Languages
D.SetpredefinedsettingsforspecificIMAPservers
CTurncoloron
SSavedata
QQuit
Command>><D
14/23
19/11/2015
SquirrelMailConfiguration:Read:config.php
WhilewehavebeenbuildingSquirrelMail,wehavediscoveredsome
preferencesthatworkbetterwithsomeserversthatdon'tworkso
wellwithothers.IfyouselectyourIMAPserver,thisoptionwill
setsomepredefinedsettingsforthatserver.
Pleasenotethatyouwillstillneedtogothroughandmakesure
everythingiscorrect.Thisdoesnotchangeeverything.Thereare
onlyafewsettingsthatthiswillchange.
PleaseselectyourIMAPserver:
bincimap=BincIMAPserver
courier=CourierIMAPserver
cyrus=CyrusIMAPserver
dovecot=DovecotSecureIMAPserver
exchange=MicrosoftExchangeIMAPserver
hmailserver=hMailServer
macosx=MacOSXMailserver
mercury32=Mercury/32
uw=UniversityofWashington'sIMAPserver
gmail=IMAPaccesstoGooglemail(Gmail)accounts
quit=Donotchangeanything
Command>><dovecot
SquirrelMailConfiguration:Read:config.php
WhilewehavebeenbuildingSquirrelMail,wehavediscoveredsome
preferencesthatworkbetterwithsomeserversthatdon'tworkso
wellwithothers.IfyouselectyourIMAPserver,thisoptionwill
setsomepredefinedsettingsforthatserver.
Pleasenotethatyouwillstillneedtogothroughandmakesure
everythingiscorrect.Thisdoesnotchangeeverything.Thereare
onlyafewsettingsthatthiswillchange.
PleaseselectyourIMAPserver:
bincimap=BincIMAPserver
courier=CourierIMAPserver
cyrus=CyrusIMAPserver
dovecot=DovecotSecureIMAPserver
exchange=MicrosoftExchangeIMAPserver
hmailserver=hMailServer
macosx=MacOSXMailserver
mercury32=Mercury/32
uw=UniversityofWashington'sIMAPserver
gmail=IMAPaccesstoGooglemail(Gmail)accounts
quit=Donotchangeanything
Command>>dovecot
15/23
19/11/2015
imap_server_type=dovecot
default_folder_prefix=
trash_folder=Trash
sent_folder=Sent
draft_folder=Drafts
show_prefix_option=false
default_sub_of_inbox=false
show_contain_subfolders_option=false
optional_delimiter=detect
delete_folder=false
Pressanykeytocontinue...<pressakey
MainMenu
2.ServerSettings
3.FolderDefaults
4.GeneralOptions
5.Themes
6.AddressBooks
8.Plugins
9.Database
10.Languages
CTurncoloron
SSavedata
QQuit
Command>><S
MainMenu
2.ServerSettings
3.FolderDefaults
4.GeneralOptions
5.Themes
6.AddressBooks
8.Plugins
9.Database
10.Languages
16/23
19/11/2015
CTurncoloron
SSavedata
QQuit
Command>><Q
NowwewillconfigureSquirrelMailsothatyoucanuseitfromwithinyourwebsites(createdthroughISPConfig)
byusingthe/squirrelmailor/webmailaliases.Soifyourwebsiteiswww.example.com,youwillbeableto
accessSquirrelMailusingwww.example.com/squirrelmailorwww.example.com/webmail.
SquirrelMail'sApacheconfigurationisinthefile/etc/squirrelmail/apache.conf,butthisfileisn'tloadedbyApache
becauseitisnotinthe/etc/apache2/conf.d/directory.Thereforewecreateasymlinkcalledsquirrelmail.confin
the/etc/apache2/conf.d/directorythatpointsto/etc/squirrelmail/apache.confandreloadApacheafterwards:
cd/etc/apache2/confenabled/
lns../../squirrelmail/apache.confsquirrelmail.conf
serviceapache2reload
Nowopen/etc/apache2/confenabled/squirrelmail.conf...
nano/etc/apache2/confenabled/squirrelmail.conf
...andaddthefollowinglinestothecontainertomakesurethatmod_phpisusedforaccessingSquirrelMail,
regardlessofwhatPHPmodeyouselectforyourwebsiteinISPConfig:
[...]
<Directory /usr/share/squirrelmail>
Options FollowSymLinks
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_admin_flag allow_url_fopen Off
php_value include_path .
php_admin_value upload_tmp_dir /var/lib/squirrelmail/tmp
php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostn

php_flag register_globals off
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>
# access to configtest is limited by default to prevent information leak
<Files configtest.php>
order deny,allow
deny from all
allow from 127.0.0.1
</Files>
</Directory>
[...]
Createthedirectory/var/lib/squirrelmail/tmp...
17/23
19/11/2015
mkdir/var/lib/squirrelmail/tmp
...andmakeitownedbytheuserwwwdata:
chownwwwdata/var/lib/squirrelmail/tmp
ReloadApacheagain:
That'sitalready/etc/apache2/confenabled/squirrelmail.confdefinesanaliascalled/squirrelmailthatpointsto
SquirrelMail'sinstallationdirectory/usr/share/squirrelmail.
YoucannowaccessSquirrelMailfromyourwebsiteasfollows:
http://192.168.0.100/squirrelmail
http://www.example.com/squirrelmail
YoucanalsoaccessitfromtheISPConfigcontrolpanelvhost(afteryouhaveinstalledISPConfig,seethenext
chapter)asfollows(thisdoesn'tneedanyconfigurationinISPConfig):
http://server1.example.com:8080/squirrelmail
Ifyou'dliketousethealias/webmailinsteadof/squirrelmail,simplyopen/etc/apache2/conf
enabled/squirrelmail.conf
nano/etc/apache2/confenabled/squirrelmail.conf
...andaddthelineAlias/webmail/usr/share/squirrelmail:
Alias /squirrelmail /usr/share/squirrelmail
Alias /webmail /usr/share/squirrelmail
[...]
ThenreloadApache:
NowyoucanaccessSquirrelmailasfollows:
http://192.168.1.100/webmail
http://www.example.com/webmail
http://server1.example.com:8080/webmail(afteryouhaveinstalledISPConfig,seethenextchapter)
Ifyou'dliketodefineavhostlikewebmail.example.comwhereyouruserscanaccessSquirrelMail,you'dhaveto
addthefollowingvhostconfigurationto/etc/apache2/confenabled/squirrelmail.conf:
vi/etc/apache2/confenabled/squirrelmail.conf
[...]
<VirtualHost *:80>
DocumentRoot /usr/share/squirrelmail
ServerName webmail.example.com
18/23
19/11/2015
</VirtualHost>
Ofcourse,theremustbeaDNSrecordforwebmail.example.comthatpointstotheIPaddressthatyouusein
thevhostconfiguration.Alsomakesurethatthevhostwebmail.example.comdoesnotexistinISPConfig
(otherwisebothvhostswillinterferewitheachother!).
NowreloadApache...
/etc/init.d/apache2reload
...andyoucanaccessSquirrelMailunderhttp://webmail.example.com!
20InstallISPConfig3
ToinstallISPConfig3fromthelatestreleasedversion,dothis:
cd/tmp
wgethttp://www.ispconfig.org/downloads/ISPConfig3stable.tar.gz
tarxfzISPConfig3stable.tar.gz
cdispconfig3_install/install/
Thenextstepistorun
phpqinstall.php
ThiswillstarttheISPConfig3installer.TheinstallerwillconfigureallserviceslikePostfix,Dovecot,etc.foryou.
AmanualsetupasrequiredforISPConfig2(perfectsetupguides)isnotnecessary.
NOTE:DonotbealarmedthattheISPConfig3installeridentifiesDebianJessieasunknownversion.Thisdoes
notinterferewithanyfunctionalityandwillbefixedwiththenextISPConfigupdate.
root@server1:/tmp/ispconfig3_install/install#phpqinstall.php
PHPDeprecated:Commentsstartingwith'#'aredeprecatedin/etc/php5/cli/conf.d/ming.inionline1inUnknownonline0
____________________________
|__/___|___\/__\/_(_)/__\
||\`.||_//|/\/______||______//
||`.\__/||/_\|'_\|_||/_`||_|
_||_/\__//||\__/\(_)|||||||(_||___\\
\___/\____/\_|\____/\___/|_||_|_||_|\__,|\____/
__/|
|___/
>>Initialconfiguration
OperatingSystem:Debianorcompatible,unknownversion.
19/23
19/11/2015
Followingwillbeafewquestionsforprimaryconfigurationsobecareful.
Defaultvaluesarein[brackets]andcanbeacceptedwith.
Tapin"quit"(withoutthequotes)tostoptheinstaller.
Selectlanguage(en,de)[en]:<ENTER
Installationmode(standard,expert)[standard]:<ENTER
Fullqualifiedhostname(FQDN)oftheserver,egserver1.domain.tld[server1.example.com]:<ENTER
MySQLserverhostname[localhost]:<ENTER
MySQLrootusername[root]:<ENTER
MySQLrootpassword[]:<yourrootsqlpassword
MySQLdatabasetocreate[dbispconfig]:<ENTER
MySQLcharset[utf8]:<ENTER
Generatinga4096bitRSAprivatekey
.............................................................++
.........................................................................................................................++
writingnewprivatekeyto'smtpd.key'
Youareabouttobeaskedtoenterinformationthatwillbeincorporated
intoyourcertificaterequest.
WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
Forsomefieldstherewillbeadefaultvalue,
Ifyouenter'.',thefieldwillbeleftblank.
CountryName(2lettercode)[AU]:<ENTER
StateorProvinceName(fullname)[SomeState]:<ENTER
LocalityName(eg,city)[]:<ENTER
OrganizationName(eg,company)[InternetWidgitsPtyLtd]:<ENTER
OrganizationalUnitName(eg,section)[]:<ENTER
CommonName(e.g.serverFQDNorYOURname)[]:<ENTER
EmailAddress[]:<ENTER
ConfiguringJailkit
ConfiguringDovecot
ConfiguringSpamassassin
ConfiguringAmavisd
ConfiguringGetmail
ConfiguringPureftpd
ConfiguringBIND
ConfiguringApache
ConfiguringVlogger
ConfiguringAppsvhost
ConfiguringBastilleFirewall
ConfiguringFail2ban
20/23
19/11/2015
InstallingISPConfig
ISPConfigPort[8080]:<ENTER
Doyouwantasecure(SSL)connectiontotheISPConfigwebinterface(y,n)[y]:<ENTER
GeneratingRSAprivatekey,4096bitlongmodulus
.................................................................................................++
........++
eis65537(0x10001)
Youareabouttobeaskedtoenterinformationthatwillbeincorporated
intoyourcertificaterequest.
WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
Forsomefieldstherewillbeadefaultvalue,
Ifyouenter'.',thefieldwillbeleftblank.
CountryName(2lettercode)[AU]:<ENTER
StateorProvinceName(fullname)[SomeState]:<ENTER
LocalityName(eg,city)[]:<ENTER
OrganizationName(eg,company)[InternetWidgitsPtyLtd]:<ENTER
OrganizationalUnitName(eg,section)[]:<ENTER
CommonName(e.g.serverFQDNorYOURname)[]:<ENTER
EmailAddress[]:<ENTER
Pleaseenterthefollowing'extra'attributes
tobesentwithyourcertificaterequest
Achallengepassword[]:<ENTER
Anoptionalcompanyname[]:<ENTER
writingRSAkey
ConfiguringDBServer
InstallingISPConfigcrontab
nocrontabforroot
nocrontabforgetmail
Restartingservices...
StoppingMySQLdatabaseserver:mysqld.
StartingMySQLdatabaseserver:mysqld..
Checkingfortableswhichneedanupgrade,arecorruptorwere
notclosedcleanly..
StoppingPostfixMailTransportAgent:postfix.
StartingPostfixMailTransportAgent:postfix.
Stoppingamavisd:amavisdnew.
Startingamavisd:amavisdnew.
StoppingClamAVdaemon:clamd.
StartingClamAVdaemon:clamd.
RestartingIMAP/POP3mailserver:dovecot.
[TueMay0702:36:222013][warn]NameVirtualHost*:443hasnoVirtualHosts
Restartingwebserver:apache2...waiting.
Restartingftpserver:Running:/usr/sbin/pureftpdmysqlvirtualchrootlmysql:/etc/pureftpd/db/mysql.conf
lpamHOclf:/var/log/pureftpd/transfer.logY1Du1000AEb8UTF8B
21/23
19/11/2015
Installationcompleted.
root@server1:/tmp/ispconfig3_install/install#
Theinstallerautomaticallyconfiguresallunderlyingservices,sonomanualconfigurationisneeded.
YounowalsohavethepossibilitytolettheinstallercreateanSSLvhostfortheISPConfigcontrolpanel,sothat
ISPConfigcanbeaccessedusinghttps://insteadofhttp://.Toachievethis,justpressENTERwhenyouseethis
question:Doyouwantasecure(SSL)connectiontotheISPConfigwebinterface(y,n)[y]:.
AfterwardsyoucanaccessISPConfig3underhttp(s)://server1.example.com:8080/or
http(s)://192.168.0.100:8080/(httporhttpsdependsonwhatyouchoseduringinstallation).Loginwiththe
usernameadminandthepasswordadmin(youshouldchangethedefaultpasswordafteryourfirstlogin):
Thesystemisnowreadytobeused.
20.1ISPConfig3Manual
InordertolearnhowtouseISPConfig3,IstronglyrecommendtodownloadtheISPConfig3Manual[5].
Onmorethan300pages,itcoverstheconceptbehindISPConfig(admin,resellers,clients),explainshowto
installandupdateISPConfig3,includesareferenceforallformsandformfieldsinISPConfigtogetherwith
examplesofvalidinputs,andprovidestutorialsforthemostcommontasksinISPConfig3.Italsolinesouthow
tomakeyourservermoresecureandcomeswithatroubleshootingsectionattheend.
20.2ISPConfigMonitorAppForAndroid
WiththeISPConfigMonitorApp,youcancheckyourserverstatusandfindoutifallservicesarerunningas
expected.YoucancheckTCPandUDPportsandpingyourservers.Inadditiontothatyoucanusethisappto
requestdetailsfromserversthathaveISPConfiginstalled(pleasenotethattheminimuminstalledISPConfig
3versionwithsupportfortheISPConfigMonitorAppis3.0.3.3!)thesedetailsincludeeverythingyouknow
fromtheMonitormoduleintheISPConfigControlPanel(e.g.services,mailandsystemlogs,mailqueue,CPU
andmemoryinfo,diskusage,quota,OSdetails,RKHunterlog,etc.),andofcourse,asISPConfigismultiserver
capable,youcancheckallserversthatarecontrolledfromyourISPConfigmasterserver.
Fordownloadandusageinstructions,pleasevisithttp://www.ispconfig.org/ispconfig3/ispconfigmonitorappfor
android/[6].
21AdditionalNotes
21.1OpenVZ
IftheDebianserverthatyou'vejustsetupinthistutorialisanOpenVZcontainer(virtualmachine),youshould
dothisonthehostsystem(I'massumingthattheIDoftheOpenVZcontainerisreplaceitwiththecorrect
VPSIDonyoursystem):
VPSID=101
forCAPinCHOWNDAC_READ_SEARCHSETGIDSETUIDNET_BIND_SERVICENET_ADMIN
22/23
19/11/2015
SYS_CHROOTSYS_NICECHOWNDAC_READ_SEARCHSETGIDSETUIDNET_BIND_SERVICE
NET_ADMINSYS_CHROOTSYS_NICE
do
vzctlset$VPSIDcapability${CAP}:onsave
done
22Links
Links
1.http://www.ispconfig.org/
2.https://www.howtoforge.com/tutorial/debian8jessieminimalserver/
3.http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
4.https://www.howtoforge.com/cdncgi/l/emailprotection
5.https://www.howtoforge.com/downloadtheispconfig3manual
6.http://www.ispconfig.org/ispconfig3/ispconfigmonitorappforandroid/
ConsigueunacuentagratuitadeEvernoteparaguardareste
artculoyverlomstardedesdecualquierdispositivo.
Crearcuenta
23/23

The Perfect Debian Server

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

The Perfect Debian Server

Загружено:

Авторское право:

Доступные форматы

19/11/2015

# The following lines are desirable for IPv6 capable hosts

localhost ip6-localhost ip6-loopback

deb http://security.debian.org/ jessie/updates main contrib non-free

;User Apache is running as

# # Tells mod_suphp NOT to handle requests with the type <mime-type>.

"|/var/lib/mailman/mail/mailman post mailman"

"|/var/lib/mailman/mail/mailman admin mailman"

"|/var/lib/mailman/mail/mailman bounces mailman"

"|/var/lib/mailman/mail/mailman confirm mailman"

"|/var/lib/mailman/mail/mailman join mailman"

"|/var/lib/mailman/mail/mailman leave mailman"

"|/var/lib/mailman/mail/mailman owner mailman"

"|/var/lib/mailman/mail/mailman request mailman"

"|/var/lib/mailman/mail/mailman subscribe mailman"

mailman-unsubscribe: "|/var/lib/mailman/mail/mailman unsubscribe mailman"

# <file system> <mount point> <type> <options> <dump> <pass>

UUID=3dc3b58d-97e5-497b-8254-a913fdfc5408 / ext4 errors=remount-ro,usrjquota=quota.user,grpjquota=quota.gro

#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstati

failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted log

php_admin_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail:/var/lib/squirrelmail:/etc/hostn

Вам также может понравиться