1 Requirements
To install such a system you will need the following:
the Ubuntu 10.10 server CD, available here: http://releases.ubuntu.com/releases/10.10/ubuntu-10.10-server-i386.iso (i386) or http://releases.ubuntu.com/releases/10.10/ubuntu-10.10-server-amd64.iso (x86_64)
a fast Internet connection.
2 Preliminary Note
In this tutorial I use the hostname server1.example.com with the IP address 192.168.0.100 and the gateway 192.168.0.1. These settings might differ for you, so you have to replace them where appropriate.
3 The Base System
Insert your Ubuntu install CD into your system and boot from it. Select your language:
Then select Install Ubuntu Server:
Choose your language again (?):
Then select your location:
Choose a keyboard layout (you will be asked to press a few keys, and the installer will try to detect your keyboard layout based on the keys you pressed):
The installer checks the installation CD, your hardware, and configures the network with DHCP if there is a DHCP server in the network:
Enter the hostname. In this example, my system is called server1.example.com, so I enter server1:
Please check if the installer detected your time zone correctly. If so, select Yes, otherwise No:
Now you have to partition your hard disk. For simplicity's sake I select Guided - use entire disk and set up LVM - this will create one volume group with two logical volumes, one for the / file system and another one for swap (of course, the partitioning is totally up to you - if you know what you're doing, you can also set up your partitions manually).
Select the disk that you want to partition:
When you're asked Write the changes to disks and configure LVM?, select Yes:
If you have selected Guided - use entire disk and set up LVM, the partitioner will create one big volume group that uses all the disk space. You can now specify how much of that disk space should be used by the logical volumes for / and swap. It makes sense to leave some space unused so that you can later on expand your existing logical volumes or create new ones - this gives you more flexibility.
When you're finished, hit Yes when you're asked Write the changes to disks?:
Afterwards, your new partitions are being created and formatted:
Now the base system is being installed:
Create a user, for example the user Administrator with the user name administrator (don't use the user name admin as it is a reserved name on Ubuntu 10.10):
I don't need an encrypted private directory, so I choose No here:
Next the package manager apt gets configured. Leave the HTTP proxy line empty unless you're using a proxy server to connect to the Internet:
I'm a little bit old-fashioned and like to update my servers manually to have more control, therefore I select No automatic updates. Of course, it's up to you what you select here:
We need a DNS, mail, and LAMP server, but nevertheless I don't select any of them now because I like to have full control over what gets installed on my system. We will install the needed packages manually later on. The only item I select here is OpenSSH server so that I can immediately connect to the system with an SSH client such as PuTTY after the installation has finished:
The installation continues:
The GRUB boot loader gets installed:
Select Yes when you are asked Install the GRUB boot loader to the master boot record?:
The base system installation is now finished. Remove the installation CD from the CD drive and hit Continue to reboot the system:
4 Get root Privileges
After the reboot you can login with your previously created username (e.g. administrator). Because we must run all the steps from this tutorial with root privileges, we can either prepend all commands in this tutorial with the string sudo, or we become root right now by typing
sudo su
(You can as well enable the root login by running
sudo passwd root
and giving root a password. You can then directly log in as root, but this is frowned upon by the Ubuntu developers and community for various reasons. See http://ubuntuforums.org/showthread.php?t=765414.)
5 Install The SSH Server (Optional)
If you did not install the OpenSSH server during the system installation, you can do it now:
aptitude install ssh openssh-server
From now on you can use an SSH client such as PuTTY and connect from your workstation to your Ubuntu 10.10 server and follow the remaining steps from this tutorial.
6 Install vim-nox (Optional)
I'll use vi as my text editor in this tutorial. The default vi program has some strange behaviour on Ubuntu and Debian; to fix this, we install vim-nox:
aptitude install vim-nox
(You don't have to do this if you use a different text editor such as joe or nano.)
7 Configure The Network
Because the Ubuntu installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.0.100):
vi /etc/network/interfaces
Then restart your network:
/etc/init.d/networking restart
Then edit /etc/hosts. Make it look like this:
vi /etc/hosts
Now run
echo server1.example.com > /etc/hostname
/etc/init.d/hostname restart
Afterwards, run
hostname
hostname -f
Both should show server1.example.com now.
8 Edit /etc/apt/sources.list And Update Your Linux Installation
Edit /etc/apt/sources.list. Comment out or remove the installation CD from the file and make sure that the universe and multiverse repositories are enabled. It should look like this:
vi /etc/apt/sources.list
Then run
aptitude update
to update the apt package database and
aptitude safe-upgrade
to install the latest updates (if there are any). If you see that a new kernel gets installed as part of the updates, you should reboot the system afterwards:
reboot
9 Change The Default Shell
/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore we do this:
dpkg-reconfigure dash
Install dash as /bin/sh? <-- No
If you don't do this, the ISPConfig installation will fail.
10 Disable AppArmor
AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).
We can disable it like this:
/etc/init.d/apparmor stop
update-rc.d -f apparmor remove
aptitude remove apparmor apparmor-utils
11 Synchronize the System Clock
It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the Internet. Simply run
aptitude install ntp ntpdate
and your system time will always be in sync.
12 Install Postfix, Courier, Saslauthd, MySQL, rkhunter, binutils
We can install Postfix, Courier, Saslauthd, MySQL, rkhunter, and binutils with a single command:
aptitude install postfix postfix-mysql postfix-doc mysql-client mysql-server courier-authdaemon courier-authlib-mysql courier-pop courier-pop-ssl courier-imap courier-imap-ssl libsasl2-2 libsasl2-modules libsasl2-modules-sql sasl2-bin libpam-mysql openssl getmail4 rkhunter binutils maildrop
You will be asked the following questions:
New password for the MySQL "root" user: <-- yourrootsqlpassword
Repeat password for the MySQL "root" user: <-- yourrootsqlpassword
Create directories for web-based administration? <-- No
General type of mail configuration: <-- Internet Site
System mail name: <-- server1.example.com
SSL certificate required <-- Ok
We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:
vi /etc/mysql/my.cnf
Then we restart MySQL:
/etc/init.d/mysql restart
Now check that networking is enabled. Run
netstat -tap | grep mysql
The output should look like this:
root@server1:~# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 9815/mysqld
root@server1:~#
During the installation, the SSL certificates for IMAP-SSL and POP3-SSL are created with the hostname localhost. To change this to the correct hostname (server1.example.com in this tutorial), delete the certificates...
cd /etc/courier
rm -f /etc/courier/imapd.pem
rm -f /etc/courier/pop3d.pem
... and modify the following two files; replace CN=localhost with CN=server1.example.com (you can also modify the other values, if necessary):
vi /etc/courier/imapd.cnf
vi /etc/courier/pop3d.cnf
Then recreate the certificates...
mkimapdcert
mkpop3dcert
... and restart Courier-IMAP-SSL and Courier-POP3-SSL:
/etc/init.d/courier-imap-ssl restart
/etc/init.d/courier-pop-ssl restart
13 Install Amavisd-new, SpamAssassin, And Clamav
To install amavisd-new, SpamAssassin, and ClamAV, we run
aptitude install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
14 Install Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, And mcrypt
Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, and mcrypt can be installed as follows:
aptitude install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libopenssl-ruby libapache2-mod-ruby
You will see the following question:
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
Then run the following command to enable the Apache modules suexec, rewrite, ssl, actions, and include (plus dav, dav_fs, and auth_digest if you want to use WebDAV):
a2enmod suexec rewrite ssl actions include
a2enmod dav_fs dav auth_digest
Restart Apache afterwards:
/etc/init.d/apache2 restart
15 Install PureFTPd And Quota
PureFTPd and quota can be installed with the following command:
aptitude install pure-ftpd-common pure-ftpd-mysql quota quotatool
Edit the file /etc/default/pure-ftpd-common...
vi /etc/default/pure-ftpd-common
... and make sure that the start mode is set to standalone and set VIRTUALCHROOT=true:
Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure.
If you want to allow FTP and TLS sessions, run
echo 1 > /etc/pure-ftpd/conf/TLS
In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:
mkdir -p /etc/ssl/private/
Afterwards, we can generate the SSL certificate as follows:
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [some-State]: <-- Enter your State or Province Name.
Locality Name (eg, city) []: <-- Enter your City.
Organization Name (eg, company) [internet Widgits Pty Ltd]: <-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []: <-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
Email Address []: <-- Enter your Email Address.
Change the permissions of the SSL certificate:
chmod 600 /etc/ssl/private/pure-ftpd.pem
Then restart PureFTPd:
/etc/init.d/pure-ftpd-mysql restart
Edit /etc/fstab. Mine looks like this (I added ,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 to the partition with the mount point /):
vi /etc/fstab
To enable quota, run these commands:
mount -o remount /
quotacheck -avugm
quotaon -avug
16 Install BIND DNS Server
BIND can be installed as follows:
aptitude install bind9 dnsutils
17 Install Vlogger, Webalizer, And AWstats
Vlogger, webalizer, and AWstats can be installed as follows:
aptitude install vlogger webalizer awstats
18 Install Jailkit
Jailkit is needed only if you want to chroot SSH users. It can be installed as follows (important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!):
aptitude install build-essential autoconf automake1.9 libtool flex bison debhelper
cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.12.tar.gz
tar xvfz jailkit-2.12.tar.gz
cd jailkit-2.12
./debian/rules binary
cd ..
dpkg -i jailkit_2.12-1_*.deb
rm -rf jailkit-2.12*
19 Install fail2ban
This is optional but recommended, because the ISPConfig monitor tries to show the fail2ban log:
aptitude install fail2ban
20 Install SquirrelMail
To install the SquirrelMail webmail client, run
aptitude install squirrelmail
Then create the following symlink...
ln -s /usr/share/squirrelmail/ /var/www/webmail
... and configure SquirrelMail:
squirrelmail-configure
We must tell SquirrelMail that we are using Courier-IMAP/-POP3:
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages
D. Set pre-defined settings for specific IMAP servers
C Turn color on
S Save data
Q Quit
Command >> <-- D
SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others. If you select your IMAP server, this option will
set some pre-defined settings for that server.
Please note that you will still need to go through and make sure
everything is correct. This does not change everything. There are
only a few settings that this will change.
Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
gmail = IMAP access to Google mail (Gmail) accounts
quit = Do not change anything
Command >> <-- courier
SquirrelMail Configuration : Read: config.php
---------------------------------------------------------
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don't work so
well with others. If you select your IMAP server, this option will
set some pre-defined settings for that server.
Please note that you will still need to go through and make sure
everything is correct. This does not change everything. There are
only a few settings that this will change.
Please select your IMAP server:
bincimap = Binc IMAP server
courier = Courier IMAP server
cyrus = Cyrus IMAP server
dovecot = Dovecot Secure IMAP server
exchange = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx = Mac OS X Mailserver
mercury32 = Mercury/32
uw = University of Washington's IMAP server
quit = Do not change anything
Command >> courier
imap_server_type = courier
default_folder_prefix = INBOX.
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = .
delete_folder = true
Press any key to continue... <-- ENTER
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages
D. Set pre-defined settings for specific IMAP servers
C Turn color on
S Save data
Q Quit
Command >> <-- S
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages
D. Set pre-defined settings for specific IMAP servers
C Turn color on
S Save data
Q Quit
Command >> S
Data saved in config.php
Press enter to continue... <-- ENTER
SquirrelMail Configuration : Read: config.php (1.4.0)
---------------------------------------------------------
Main Menu --
1. Organization Preferences
2. Server Settings
3. Folder Defaults
4. General Options
5. Themes
6. Address Books
7. Message of the Day (MOTD)
8. Plugins
9. Database
10. Languages
D. Set pre-defined settings for specific IMAP servers
C Turn color on
S Save data
Q Quit
Command >> <-- Q
Afterwards you can access SquirrelMail under http://server1.example.com/webmail or http://192.168.0.100/webmail:
21 Install ISPConfig 3
To install ISPConfig 3 from the latest released version, do this:
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
he next step is to run
php -q install.php
This will start the ISPConfig 3 installer. The installer will configure all services like Postfix, SASL, Courier, etc. for you. A manual setup as required for ISPConfig 2 (perfect setup guides) is not necessary.
root@server1:/tmp/ispconfig3_install/install# php -q install.php
--------------------------------------------------------------------------------
_____ ___________ _____ __ _ ____
|_ _/ ___| ___ \ / __ \ / _(_) /__ \
| | \ `--.| |_/ / | / \/ ___ _ __ | |_ _ __ _ _/ /
| | `--. \ __/ | | / _ \| '_ \| _| |/ _` | |_ |
_| |_/\__/ / | | \__/\ (_) | | | | | | | (_| | ___\ \
\___/\____/\_| \____/\___/|_| |_|_| |_|\__, | \____/
__/ |
|___/
--------------------------------------------------------------------------------
>> Initial configuration
Operating System: Debian 6.0 (Squeeze/Sid) or compatible
Following will be a few questions for primary configuration so be careful.
Default values are in [brackets] and can be accepted with <ENTER>.
Tap in "quit" (without the quotes) to stop the installer.
Select language (en,de) [en]: <-- ENTER
Installation mode (standard,expert) [standard]: <-- ENTER
Full qualified hostname (FQDN) of the server, eg server1.domain.tld [server1.example.com]: <-- ENTER
MySQL server hostname [localhost]: <-- ENTER
MySQL root username [root]: <-- ENTER
MySQL root password []: <-- yourrootsqlpassword
MySQL database to create [dbispconfig]: <-- ENTER
MySQL charset [utf8]: <-- ENTER
Generating a 2048 bit RSA private key
......................+++
.............................................................+++
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: <-- ENTER
State or Province Name (full name) [some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (eg, YOUR name) []: <-- ENTER
Email Address []: <-- ENTER
Configuring Jailkit
Configuring SASL
Configuring PAM
Configuring Courier
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring Pureftpd
Configuring BIND
Configuring Apache
Configuring Vlogger
Configuring Apps vhost
Configuring Firewall
Installing ISPConfig
ISPConfig Port [8080]: <-- ENTER
Configuring DBServer
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Restarting services ...
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service mysql restart
Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the restart(8) utility, e.g. restart mysql
mysql start/running, process 25572
* Stopping Postfix Mail Transport Agent postfix
...done.
* Starting Postfix Mail Transport Agent postfix
...done.
* Stopping SASL Authentication Daemon saslauthd
...done.
* Starting SASL Authentication Daemon saslauthd
...done.
Stopping amavisd: amavisd-new.
Starting amavisd: amavisd-new.
* Stopping ClamAV daemon clamd
...done.
* Starting ClamAV daemon clamd
...done.
* Stopping Courier authentication services authdaemond
...done.
* Starting Courier authentication services authdaemond
...done.
* Stopping Courier IMAP server imapd
...done.
* Starting Courier IMAP server imapd
...done.
* Stopping Courier IMAP-SSL server imapd-ssl
...done.
* Starting Courier IMAP-SSL server imapd-ssl
...done.
* Stopping Courier POP3 server...
...done.
* Starting Courier POP3 server...
...done.
* Stopping Courier POP3-SSL server...
...done.
* Starting Courier POP3-SSL server...
...done.
* Restarting web server apache2
... waiting ............. ...done.
Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -O clf:/var/log/pure-ftpd/transfer.log -D -H -b -A -Y 1 -u 1000 -8 UTF-8 -E -B
Installation completed.
root@server1:/tmp/ispconfig3_install/install#
The installer automatically configures all underlying services, so no manual configuration is needed.
Afterwards you can access ISPConfig 3 under http://server1.example.com:8080/ or http://192.168.0.100:8080/. Log in with the username admin and the password admin (you should change the default password after your first login):
The system is now ready to be used.
21.1 ISPConfig 3 Manual
In order to learn how to use ISPConfig 3, I strongly recommend to download the ISPConfig 3 Manual.
On nearly 300 pages, it covers the concept behind ISPConfig (admin, resellers, clients), explains how to install and update ISPConfig 3, includes a reference for all forms and form fields in ISPConfig together with examples of valid inputs, and provides tutorials for the most common tasks in ISPConfig 3. It also lines out how to make your server more secure and comes with a troubleshooting section at the end.
22 Additional Notes
If the Ubuntu server that you've just set up in this tutorial is an OpenVZ container (virtual machine), you should do this on the host system (I'm assuming that the ID of the OpenVZ container is 101 - replace it with the correct VPSID on your system):
VPSID=101
for CAP in CHOWN DAC_READ_SEARCH SETGID SETUID NET_BIND_SERVICE NET_ADMIN SYS_CHROOT SYS_NICE CHOWN DAC_READ_SEARCH SETGID SETUID NET_BIND_SERVICE NET_ADMIN SYS_CHROOT SYS_NICE
do
vzctl set $VPSID --capability ${CAP}:on --save
done
The Perfect Server - Ubuntu 10.10 [iSPConfig 3]