ISPConfig 3 (nginx)

This section will drive you through the setup of a working ISPConfig 3 (nginx) VM, it's based on the The Perfect Server - Debian Wheezy (nginx, BIND, Dovecot, ISPConfig 3) tutorial.

We assume that, prior to starting this section, you already have a Debian-Wheezy XVA template available, please refer to this wiki article in case you do not have it yet…

> xe vm-import filename=/root/XVAs/DebianWheezy-7.5.xva

Once imported, we rename the VM and change it's memory allocation

From XOA interface:

• Rename VM: ISPConfig-3-nginx
• Allocate 4GB RAM

From Dom0 CLI:
Then we re-allocate the vif (virtual network interface) and link it to a specified MAC address given by the provider for the targeted FO IP (mac=02:00:00:84:fb:29).

> xe vm-list
> xe network-list
> xe vif-list vm-name-label=ISPConfig-3-nginx --minimal
<vif-uuid>
> xe vif-destroy uuid=<vif-uuid>
> xe vif-create vm-uuid=<ispaconfig-vm-uuid> network-uuid=<ntwrk-uuid> device=0 mac="02:00:00:84:fb:29"

> nano /etc/hostname
> nano /etc/hosts

Make sure that your sources list contains the wheezy-updates repository (this makes sure you always get the newest updates for the ClamAV virus scanner - this project publishes releases very often, and sometimes old versions stop working).

To keep things clean, we'll add a file in the /etc/apt/sources.list.d directory containing our additional sources references:

> mkdir -p /etc/apt/sources.list.d
> nano /etc/apt/sources.list.d/wheezy-updates.list

/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash (if you don't do this the ISPConfig installation will fail). Therefore we do this:

> dpkg-reconfigure dash

SELECT: NO

> apt-get install ntp ntpdate

This is achieved in a single command:

> apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo

You'll have to answer a few questions during installatio:

• General type of mail configuration: Internet Site
• System mail name: server1.example.com
• New password for the MySQL “root” user: yourrootsqlpassword
• Repeat password for the MySQL “root” user: yourrootsqlpassword

Next open the TLS/SSL and submission ports in Postfix:

> nano /etc/postfix/master.cf

Uncomment the submission and smtps sections as follows (leave -o milter_macro_daemon_name=ORIGINATING as we don't need it)

...
submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
...

Restart Postfix:

> service postfix restart

MySQL should listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1, then restart the service:

> nano /etc/mysql/my.cnf

LINE 47: #bind-address           = 127.0.0.1

> service mysql restart

Check networking is enabled:

> netstat -tap | grep mysql
tcp        0      0 *:mysql                 *:*                     LISTEN      27358/mysqld

> apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl

ISPConfig 3 setup uses amavisd which loads the SpamAssassin filter library internally, so we can stop SpamAssassin to free up some RAM:

> service spamassassin stop
> update-rc.d -f spamassassin remove

> apt-get install nginx
> service nginx start

> apt-get install php5-fpm

> apt-get install php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached

> nano /etc/php5/fpm/php.ini

...
cgi.fix_pathinfo=0
...
date.timezone="Europe/Brussels"
...

> service php-fpm reload

Available timezones can be found in the /usr/share/zoneinfo directories and its subdirectories.

To get CGI support in nginx, we install Fcgiwrap.

> apt-get install fcgiwrap 

In case you'd like to be able to selct various php version for each site, read How To Use Multiple PHP Versions (PHP-FPM & FastCGI) With ISPConfig 3 (Debian Wheezy)

> apt-get install phpmyadmin

You'll have to answer 2 questions during the installation process:

• Web server to reconfigure automatically: none (because only apache2 and lighttpd are available as options)
• Configure database for phpmyadmin with dbconfig-common? No

PhpMyAdmin files are located in /usr/share/phpmyadmin/

The ISPConfig apps vhost on port 8081 for nginx comes with a phpMyAdmin configuration, so you can use http://server1.example.com:8081/phpmyadmin or http://server1.example.com:8081/phpMyAdmin to access phpMyAdmin.

For more info regarding nginx configuration for PhpMyAdmin see point 12.2 of this page in the perfect server guide.

ISPConfig (3.0.4+) allows to manage (create/modify/delete) Mailman mailing lists. If you want to make use of this feature, install Mailman as follows:

> apt-get install mailman

Select at least one language, say OK when it says the site list is missing.
If you need a different set of languages at a later time, just run dpkg-reconfigure mailman.

> newlist mailman

• Enter the email of the person running the list: admin email address, e.g. listadmin@example.com
• Initial mailman password: admin password for the mailman list

> nano /etc/aliases

ADD:
## mailman mailing list
mailman:              "|/var/lib/mailman/mail/mailman post mailman"
mailman-admin:        "|/var/lib/mailman/mail/mailman admin mailman"
mailman-bounces:      "|/var/lib/mailman/mail/mailman bounces mailman"
mailman-confirm:      "|/var/lib/mailman/mail/mailman confirm mailman"
mailman-join:         "|/var/lib/mailman/mail/mailman join mailman"
mailman-leave:        "|/var/lib/mailman/mail/mailman leave mailman"
mailman-owner:        "|/var/lib/mailman/mail/mailman owner mailman"
mailman-request:      "|/var/lib/mailman/mail/mailman request mailman"
mailman-subscribe:    "|/var/lib/mailman/mail/mailman subscribe mailman"
mailman-unsubscribe:  "|/var/lib/mailman/mail/mailman unsubscribe mailman"

> newaliases

Restart Postfix, then start the Mailman daemon:

> service postfix restart
> service mailman start

For more info regarding nginx configuration for mailman see point 13 of this page in the perfect server guide.

> apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool

Edit /etc/default/pure-ftpd-common to make sure that the start mode is set to standalone and set VIRTUALCHROOT=true

> nano /etc/default/pure-ftpd-common

...
STANDALONE_OR_INETD=standalone
...
VIRTUALCHROOT=true
...

To allow FTP and TLS sessions:

> echo 1 > /etc/pure-ftpd/conf/TLS

In order to use TLS, we must create an SSL certificate. Lets create it in /etc/ssl/private/, creating the directory first:

> mkdir -p /etc/ssl/private/

Then, we generate the SSL certificate as follows:

> openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Fill all requested information…

Change the permissions of the SSL certificate, and restart PureFTPd:

> chmod 600 /etc/ssl/private/pure-ftpd.pem
> service pure-ftpd-mysql restart

Edit /etc/fstab, adding ,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 to the partition with the mount point /:

> nano /etc/fstab

UUID=1d269e64-420e-47e1-84fc-c8f0b14c1345 /               ext4    errors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0       1

To enable quota, run these commands:

> mount -o remount /
> quotacheck -avugm
> quotaon -avug

> apt-get install bind9 dnsutils

> apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
> nano /etc/cron.d/awstats

# Comment out everything in that file !

Jailkit is needed only if you want to chroot SSH users. It must be installed before ISPConfig - it cannot be installed afterwards!

> apt-get install build-essential autoconf automake1.9 libtool flex bison debhelper binutils-gold
> cd /tmp
> wget http://olivier.sessink.nl/jailkit/jailkit-2.15.tar.gz
> tar xvfz jailkit-2.15.tar.gz
> cd jailkit-2.15
> ./debian/rules binary
> cd ..
> dpkg -i jailkit_2.15-1_*.deb
> rm -rf jailkit-2.15*

> apt-get install fail2ban

To have fail2ban monitor PureFTPd and Dovecot, create the file /etc/fail2ban/jail.local:

> nano /etc/fail2ban/jail.local
> [pureftpd]

enabled  = true
port     = ftp
filter   = pureftpd
logpath  = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[sasl]
enabled  = true
port     = smtp
filter   = sasl
logpath  = /var/log/mail.log
maxretry = 3