Installing ISPConfig 3 with Nginx, Postfix, Dovecot

To provide new email and web hosting service to our customers, we deploys ISPConfig 3 with Nginx, Postfix and Dovecot on few Linux hosting systems. And our customers have their own private Linode and other cloud service providers. Their own systems are hosting their emails and web sites for business needs.

We installed Ubuntu 16.04.1 LTS as the base Linux operating system with OpenSSH server. We refers to a document on howtoforge.

Upgrading latest version software packages from repos
$ apt-get update; apt-get upgrade
Disable and Removing AppArmor
$ service apparmor stop
$ update-rc.d -f apparmor remove
$ apt-get remove apparmor apparmor-utils
Installing NTP
$ apt-get install ntp ntpdate

Installing Postfix + MySQL + OpenSSL + Dovecot
$ apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo

$ vim /etc/postfix/master.cf

Un-comment following lines and add/change lines in bold and red colour.

[...]
submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
[...]
smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
[...]

Restart Postfix.

$ service postfix restart

We want to keep MySQL server listening to localhost only, so we skipped MySQL/MaroiaDB setting.

Installing Amavisd-new, spamassassin, clamav

$ apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl

ISPConfig 3 will use Amavisd-new to load Spamassassin filter internally, therefore we don’t need to load  Spamassassin as standalone process. So, we disable it to load at startup.

$ service spamassassin stop
$ update-rc.d -f spamassassin remove

And freshclam and clamav will operate in background, so we skipped freshclam and clamav setting after some checkings.

Installing Nginx, PHP7 (PHP-FPM), Fcgiwrap

$ apt-get install nginx

We didn’t install apache2 at previous installation, so we don’t need to stop and disable it.

PHP5 is no longer available, so we install PHP7 (PHP-FPM) from repos

$ apt-get install php-fpm

$ apt-get install php-mysql php-curl php-gd php-intl php-pear php-imagick php-imap php-mcrypt php-memcache php-pspell php-recode php-sqlite3 php-tidy php-xmlrpc php-xml

Installing open PHP opcode cacher

$ apt-get install php-apcu

Modify cgi.fix_pathinfo and timezone (eg. Hong Kong)

$ vim /etc/php/7.0/fpm/php.ini

[....]

cgi.fix_pathinfo=0

[....]

date.timezone = "Asia/Hong_Kong"

[....]

Reloading PHP7 FPM

$ service php7.0-fpm reload

Installing fcgiwrap

$ apt-get install fcgiwrap

Installing PHPMyAdmin

$ apt-get install phpmyadmin

Installing mailman on Ubuntu

Installing PureFTPD and quota

$ apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool

$ vim /etc/default/pure-ftpd-common

VIRTUALCHROOT=true

$ echo 1 > /etc/pure-ftpd/conf/TLS

To create SSL cert for PureFTPD, we use letsencrypt instead of openssl self-CA cert.

We install letsencrypt first

$ apt-get install letsencrypt

$ vim /etc/fstab

Adding 「,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0」

UUID=af5e4830-45e0-7f9a-edd4d81eb-3a92e53 /               ext4    errors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0

Enabling quota using remount

$ mount -o remount /
$ quotacheck -avugm
$ quotaon -avug

Installing BIND DNS server

$ apt-get install bind9 dnsutils

Installing Vlogger, Webalizer and AWStats

$ apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl

$ vim /etc/cron.d/awstats

and then remark all lines at above cron file for awstats.

Installing Jailkit

Installing Fail2ban

Installing ISPConfig 3

$ cd /tmp
$ wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
$ tar xfz ISPConfig-3-stable.tar.gz
$ cd ispconfig3_install/install/

Adding the following line to [mysqld] section and restart MySQL
$ vim /etc/mysql/mysql.conf.d/mysqld.cnf

sql-mode=」NO_ENGINE_SUBSTITUTION」

$ /etc/init.d/mysql restart

Run ISPConfig 3 install script

$ php -q install.php

PureFTPD, Postfix and ISPConfig used self-created self-CA SSL certificates, we should replace them with letsencrypt cert later.

Try to login ISPConfig 3 admin web console on https://yourhostname.yourdomainname:8080/ with default login and password: admin / admin

Please change admin password after successful login. Enjoy!

Related posts

Sammy Fung

Sammy 是 Linux 技術顧問,擁有 20 年 Linux 技術經驗。