ISPconfig on debian 9 with browser acceptable ssl.

This article is based on the: https://www.howtoforge.com/tutorial/perfect-server-debian-9-stretch-apache-bind-dovecot-ispconfig-3-1/

Some minor modyfication have been made. Oryginal article is more extensive. Tested on debian 9.2.1.

  • Install debian 9 using netinstall.iso – I will assume hostname s1 and domain vberry.net. My name-servers are ns1.vberry.net and ns2.vberry.net.
  • Install basic tools.

apt-get install mc nano vim-nox ssh openssh-server net-tools

  • Set the list of known hosts, especially our own host (otherwise there will be probelm with dns server) – I prefer mcedit as text editor.

mcedit /etc/hosts  Content:

# Your system has configured 'manage_etc_hosts' as True.
# As a result, if you wish for changes to this file to persist
# then you will need to either
# a.) make changes to the master file in /etc/cloud/templates/hosts.tmpl
# b.) change or remove the value of 'manage_etc_hosts' in
# /etc/cloud/cloud.cfg or cloud-config from user-data
#
127.0.0.1 localhost.localdomain localhost db1.vberry.net
164.132.58.55 s1.vberry.net ns1.vberry.net s1 ns1
#
# The following lines are desirable for IPv6 capable hosts
2001:41d0:0401:3100:0000:0000:0000:41b5 s1.vberry.net s1
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

  • Now we need to set ip address to permanent if  otherwise: mcedit /etc/network/interfaces  Content:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 164.132.58.55
netmask 255.255.255.255
dns-nameservers 213.186.33.99 8.8.8.8
gateway 164.132.56.1

  • I preffer to disable ipv6 as I’m not using it, so enter the command once only:

echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf

Edit mcedit /etc/default/grub end enter following lines:

GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0 ipv6.disable=1" It makes network device names normal eth0,1,2 and disables ipv6 in the kernel.

Then reinstall grub: grub-install /dev/xvda , where /dev/xvda is your bootable device, /dev/sda, /dev/hda are typical device names.

Now reboot your server.

  • Veryfi your hostname before installing ispconfig.

root@s1:/# hostname
s1
root@s1:/# hostname -f
s1.vberry.net

  • Check debian repository:

mcedit /etc/apt/sources.list  Content:

deb http://deb.debian.org/debian stretch main contrib non-free
deb-src http://deb.debian.org/debian stretch main contrib non-free
## Major bug fix updates produced after the final release of the
## distribution.
deb http://security.debian.org/ stretch/updates main contrib non-free
deb-src http://security.debian.org/ stretch/updates main contrib non-free
deb http://deb.debian.org/debian stretch-updates main contrib non-free
deb-src http://deb.debian.org/debian stretch-updates main contrib non-free

Now issue command:

apt-get update; apt-get upgrade

  • Set bash as default shell, otherwise ispconfig will fail.

dpkg-reconfigure dash

Use dash as the default system shell (/bin/sh)? <- no

  • Install the packages:

apt-get install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd sudo ntp

When asked by postfix package:

General type of mail configuration: <– Internet Site
System mail name: <– s1.vberry.net

  • Configure mysql server:

mysql_secure_installation

Enter current password for root (enter for none): -< Enter your root password

Change the root password? [Y/n] <- n

Remove anonymous users? [Y/n] <– y
Disallow root login remotely? [Y/n] <– y
Remove test database and access to it? [Y/n] <– y
Reload privilege tables now? [Y/n] <– y

Now we allow mysql server to listen on all interfaces:

mcedit /etc/mysql/mariadb.conf.d/50-server.cnf

[...]

# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address = 0.0.0.0
sql-mode="NO_ENGINE_SUBSTITUTION"

[...]

Set the password authentication method in MariaDB to native so we can use PHPMyAdmin later to connect as root user:

echo "update mysql.user set plugin = 'mysql_native_password' where user='root';" | mysql -u root

Tell debian package your root mysql password:

mcedit /etc/mysql/debian.cnf

# Automatically generated for Debian scripts. DO NOT TOUCH!
[client]
host = localhost
user = root
password = YourRootPasswordForMysqlServer
socket = /var/run/mysqld/mysqld.sock
[mysql_upgrade]
host = localhost
user = root
password = YourRootPasswordForMysqlServer
socket = /var/run/mysqld/mysqld.sock
basedir = /usr

Restart mysql database:

/etc/init.d/mysql restart

To veryfi that mysql server is listening on all ipv4 adresses issue command:

netstat -nlp | grep mysql

Proper answere is:

tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1703/mysqld

Pay atention not tcp6,  but tcp!!

Now try to connect to mysql:

mysql -u root -p if you get connected after entering the password everything is ok. If you cant connect try connection with no password: mysql -u root. If you can connect with no password then set password. Connect to mysql server and in the mysql server console type commands:

SET PASSWORD FOR 'root'@'localhost' = PASSWORD('YourRootPasswordForMysqlServer');
FLUSH PRIVILEGES;
quit;

Now try to connect using root password again.

  • Configure postfix mail server and uncomment this lines mcedit /etc/postfix/master.cf :

[...]

smtp inet n - y - - smtpd
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=permit_sasl_authenticated,reject

[...]

Restart postfix:

/etc/init.d/postfix restart

  • Install antyspam and antyvirus software:

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl libdbd-mysql-perl postgrey

The ISPConfig 3 setup uses amavisd which loads the SpamAssassin filter library internally, so we can stop SpamAssassin to free up some RAM:

/etc/init.d/spamassassin stop
systemctl disable spamassassin

Install apache2 and usefull hosting software:

apt-get -y install apache2 apache2-doc apache2-utils libapache2-mod-php php7.0 php7.0-common php7.0-gd php7.0-mysql php7.0-imap phpmyadmin php7.0-cli php7.0-cgi libapache2-mod-fcgid apache2-suexec-pristine php-pear php7.0-mcrypt mcrypt  imagemagick libruby libapache2-mod-python php7.0-curl php7.0-intl php7.0-pspell php7.0-recode php7.0-sqlite3 php7.0-tidy php7.0-xmlrpc php7.0-xsl memcached php-memcache php-imagick php-gettext php7.0-zip php7.0-mbstring memcached libapache2-mod-passenger php7.0-soap

Answere questions:

Web server to reconfigure automatically: <- apache2
Configure database for phpmyadmin with dbconfig-common? <- yes
Enter the phpmyadmin application password? <-  Press enter

Enter the password of the administrative user? <- YourRootPasswordForMysqlServer

Then enable apache modules:

a2enmod suexec rewrite ssl actions include dav_fs dav auth_digest cgi headers

To ensure that the server can not be attacked trough the HTTPOXY vulnerability, we will disable the HTTP_PROXY header in apache globally.  Edit file and add following content:

mcedit /etc/apache2/conf-available/httpoxy.conf place the following content:

<IfModule mod_headers.c>
RequestHeader unset Proxy early
</IfModule>

Now restart apache2 service:

/etc/init.d/apache2 restart

  • Installing lets encrypt – free ssl authority. Now its possible to create ssl certyficate and use it with no browser warnings for free with one simple click in ispconfig panel!!!

apt-get install certbot

Dream came true. Now in the website configuration under ssl you can tick let encrypt for automatic ssl generation !!

  • To use PHP-FPM with Apache, we need the mod_proxy_fcgi Apache module, which is installed by default and needs just be enabled. We can install PHP-FPM and as follows:

apt-get -y install php7.0-fpm
a2enmod actions proxy_fcgi alias
/etc/init.d/apache2 restar

  • Install and configure mailman.

apt-get install mailman

Answere questions:

Languages to support: <– en (English)  pl (Polish)
Missing site list <– Ok

 

mcedit /etc/aliasses add at the bottom of the file following content:

## mailman mailing list
mailman: "|/var/lib/mailman/mail/mailman post mailman"
mailman-admin: "|/var/lib/mailman/mail/mailman admin mailman"
mailman-bounces: "|/var/lib/mailman/mail/mailman bounces mailman"
mailman-confirm: "|/var/lib/mailman/mail/mailman confirm mailman"
mailman-join: "|/var/lib/mailman/mail/mailman join mailman"
mailman-leave: "|/var/lib/mailman/mail/mailman leave mailman"
mailman-owner: "|/var/lib/mailman/mail/mailman owner mailman"
mailman-request: "|/var/lib/mailman/mail/mailman request mailman"
mailman-subscribe: "|/var/lib/mailman/mail/mailman subscribe mailman"
mailman-unsubscribe: "|/var/lib/mailman/mail/mailman unsubscribe mailman"

 

Now edit postfix configuration file: mcedit /etc/postfix/main.cf and find these variables or create them and set values as bellow:

owner_request_special = no
virtual_maps = hash:/var/lib/mailman/data/virtual-mailman
alias_maps = hash:/var/lib/mailman/data/aliases

Edit mailman configuration file:

mcedit /etc/mailman/mm_cfg.pyand set those two lines:

MTA='Postfix'
POSTFIX_STYLE_VIRTUAL_DOMAINS = ['vberry.net']

Now run: newaliases  and /etc/init.d/postfix restart

Now enable maiman admin panel for apache:

ln -s /etc/mailman/apache.conf /etc/apache2/conf-enabled/mailman.conf

And then restart apache: /etc/init.d/apache2 restart

This defines the alias /cgi-bin/mailman/ for all Apache vhosts, which means you can access the Mailman admin interface for a list at http://s1.vberry.net/cgi-bin/mailman/admin/, and the web page for users of a mailing list can be found at http://s1.vberry.net/cgi-bin/mailman/listinfo/.

Under http://s1.vberry.net/pipermail you can find the mailing list archives.

Now check mailman permissions with command: check_perms fix errors by doing:

chgrp -h list /var/lib/mailman/*
sudo -u root check_perms -f

Now start mailman: /etc/init.d/mailman start

  • Install PureFTPD and quota:

apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool

Edit ftpd config to start as alone daemon: mcedit /etc/default/pure-ftpd-common:

[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]

Now we configure PureFTPd to allow FTP and TLS sessions. It is very important as ftp is sending password as plain text over the network. TLS will make password encrypted.

echo 1 > /etc/pure-ftpd/conf/TLS

In order to use TLS, we must create an SSL certificate. Good location for those files is /etc/ssl/private/, therefore I create that directory first:

mkdir -p /etc/ssl/private/

Now we can generate self-signed certyficate. Later it can be replaced by certyficate generated by lets encrypt, but it is quite tricky as certyficate format for pureFTP is not straight forward.

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Country Name (2 letter code) [AU]: <– Enter your Country Name („PL”).
State or Province Name (full name) [Some-State]: <– Enter your State or Province Name.
Locality Name (eg, city) []: <– Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <– Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []: <– Enter your Organizational Unit Name (e.g. „IT Department”).
Common Name (eg, YOUR name) []: <– s1.vberry.net
Email Address []: <– Enter your Email Address (e.g. „office@vberry.net”).

Set the permissions of the SSL certificate and restart ftp server:

chmod 600 /etc/ssl/private/pure-ftpd.pem

/etc/init.d/pure-ftpd-mysql restart

Now modyfi /etc/fstab to support quota. It is quite tricky as your fstab will look different. You need to add  to mounting options of your data partitions. Mine looks like bellow, as /dev/xvda2 is my root partition and /dev/xvdb1 is my /var partition, where all data is stored. Red part is what I have added: ,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
#
# / was on /dev/xvda2 during installation
UUID=28c1a64e-1599-444a-8aff-93421a34a73e / ext4 errors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0 1
# /var was on /dev/xvdb1 during installation
UUID=4a9708bc-0345-4671-8dec-39c039642597 /var ext4 defaults,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0 2
# swap was on /dev/xvda1 during installation
UUID=ef2a1a88-6c74-4570-a4da-fe14f825c321 none swap sw 0 0
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0

Now turn on quota:

mount -o remount /
mount -o remount /var
quotacheck -avugm
quotaon -avug

  • Install DNS server: apt-get install bind9 dnsutils haveged

Install AWstat and Webanalizer:

Edit and commen out lines in the file: mcedit /etc/cron.d/awstats

#MAILTO=root
#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh
# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh

  • Install jailkit to allow ssh users to chroot:

apt-get install build-essential autoconf automake libtool flex bison debhelper binutils

Now compile and create jailkit package:

cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.19.tar.gz
tar xvfz jailkit-2.19.tar.gz
cd jailkit-2.19
echo 5 > debian/compat
./debian/rules binary

Now install debian package:

cd ..
dpkg -i jailkit_2.19-1_*.deb
rm -rf jailkit-2.19*

 

  • Install fail2ban and ufw firewall:

apt-get install fail2ban ufw

To make fail2ban monitor PureFTPd and Dovecot, create the file /etc/fail2ban/jail.local:

mcedit /etc/fail2ban/jail.local

[pure-ftpd]
enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/syslog
maxretry = 3
[dovecot]
enabled = true
filter = dovecot
logpath = /var/log/mail.log
maxretry = 5
[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3

Then restart fail2ban:/etc/init.d/fail2ban restart

  • Install RoundCube – nice mail web interface:

apt-get install roundcube roundcube-core roundcube-mysql roundcube-plugins

Answere questions:

Configure database for roundcube with dbconfig.common? <– yes
MySQL application password for roundcube: <– press enter (random password will be generated)
Password of the databases administrative user: <– enter the MySQL root password here if asked.

Open configuration file: mcedit /etc/roundcube/config.inc.php and set mailserver host to localhost:

$config['default_host'] = 'localhost';
$config['smtp_server'] = 'localhost';

Add an alias for roundcube on your apache2 server:

echo "Alias /webmail /var/lib/roundcube" >> /etc/apache2/conf-enabled/roundcube.conf
/etc/init.d/apache2 restart

  • Now we are ready to install ISPconfig3.

Download.
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/

Run the installer: php -q install.php

>> Initial configuration

Operating System: Debian 9.0 (Stretch) or compatible

Following will be a few questions for primary configuration so be careful.
Default values are in [brackets] and can be accepted with <ENTER>.
Tap in „quit” (without the quotes) to stop the installer.

 

Select language (en,de) [en]: en <hit enter>

Installation mode (standard,expert) [standard]: <hit enter>

Full qualified hostname (FQDN) of the server, eg server1.domain.tld [s1.vberry.net]: <hit enter>

MySQL server hostname [localhost]: <hit enter>

MySQL server port [3306]: <hit enter>

MySQL root username [root]: <hit enter>

MySQL root password []: YourRootPasswordForMysqlServer

MySQL database to create [dbispconfig]: <hit enter>

MySQL charset [utf8]: <hit enter>

Configuring Postgrey
Configuring Postfix
Generating a 4096 bit RSA private key
…..++
…….++
writing new private key to ‚smtpd.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‚.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:PL
State or Province Name (full name) [Some-State]:Wroclaw
Locality Name (eg, city) []:Wroclaw
Organization Name (eg, company) [Internet Widgits Pty Ltd]:vberry
Organizational Unit Name (eg, section) []:vberry
Common Name (e.g. server FQDN or YOUR name) []:s1.vberry.net
Email Address []:biuroo@vberry.net
Configuring Mailman
Configuring Dovecot
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring Jailkit
Configuring Pureftpd
Configuring BIND
[INFO] haveged not detected – DNSSEC can fail
Configuring Apache
Configuring vlogger
[INFO] service OpenVZ not detected
Configuring Ubuntu Firewall
[INFO] service Metronome XMPP Server not detected
Configuring Fail2ban
Configuring Apps vhost
Installing ISPConfig
ISPConfig Port [8080]: <hit enter>

Admin password [admin]: ispPassword

Re-enter admin password []: ispPassword

Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: <hit enter>

Generating RSA private key, 4096 bit long modulus
…………..++
…………………………………………………………………………………………………..++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‚.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:PL
State or Province Name (full name) [Some-State]:Wroclaw
Locality Name (eg, city) []:Wroclaw
Organization Name (eg, company) [Internet Widgits Pty Ltd]:vberry
Organizational Unit Name (eg, section) []:vberry
Common Name (e.g. server FQDN or YOUR name) []:s1.vberry.net
Email Address []:biuroo@vberry.net

Please enter the following ‚extra’ attributes
to be sent with your certificate request
A challenge password []: <hit enter>
An optional company name []: <hit enter>
writing RSA key

 

Configuring DBServer
Installing ISPConfig crontab
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Detect IP addresses
Restarting services …
Installation completed.

Now you can login to your ISPconfig3 panel at address https://s1.vberry.net:8080 or https://ipAddress:8080

 

  • Configuring Lets encrypt SSL certyficates for ISPconfig. If you have installed this server from tutorial (The Perfect Server) that this article is based on then here beggins part that is unique and you schould start reading here.

Create s1.vberry.net domain certyficate, by adding a web site with your server and domain name.

Mark SSL and Lets Encrypt fields, as shown on the screenshoot.

If your domain is properly configured certyficate schould appear in the /etc/letsencrypt/live/s1.vberry.net/ folder:

cert.pem chain.pem fullchain.pem privkey.pem README

It is automatically set for https connections. We can use this certyficates to encrypt postfix connections and imap connections, to avoid annoying message from email programs.

Comments are closed.