{"id":2940,"date":"2018-02-27T17:03:18","date_gmt":"2018-02-27T14:03:18","guid":{"rendered":"https:\/\/www.howtoforge.com\/tutorial\/perfect-server-debian-9-nginx-bind-dovecot-ispconfig-3.1\/"},"modified":"2018-02-27T17:03:18","modified_gmt":"2018-02-27T14:03:18","slug":"the-perfect-server-debian-9-nginx-bind-dovecot-ispconfig-3-1","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/the-perfect-server-debian-9-nginx-bind-dovecot-ispconfig-3-1\/","title":{"rendered":"The Perfect Server – Debian 9 (Nginx, BIND, Dovecot, ISPConfig 3.1)"},"content":{"rendered":"
\"\"<\/div>\n

This tutorial shows how to prepare a Debian\u00a09 server (with Nginx, BIND, Dovecot) for the installation of ISPConfig 3.1<\/a>, and how to install ISPConfig 3.1. ISPConfig 3 is a web hosting control panel that allows you to configure the following services through a web browser: Apache or nginx web server, Postfix mail server, Courier or Dovecot IMAP\/POP3 server, MySQL, BIND or MyDNS nameserver, PureFTPd, SpamAssassin, ClamAV, and many more. This setup covers Nginx web server, BIND as DNS Server, and Dovecot as IMAP \/ POP3 server.<\/p>\n

1 Preliminary Note<\/h2>\n

In this tutorial, I use the hostname server1.example.com<\/span> with the IP address 192.168.1.100<\/span> and the gateway 192.168.1.1<\/span>. These settings might differ for you, so you have to replace them where appropriate.\u00a0Before proceeding further you need to have a minimal installation of Debian 9. This might be a Debian minimal image from your hosting provider or you use the <\/span>Minimal Debian Server<\/a>\u00a0tutorial to setup the base system.<\/span><\/p>\n

2\u00a0Install the SSH Server<\/h2>\n

If you did not install the OpenSSH server during the system installation, you can do it now:<\/p>\n

apt-get -y install ssh openssh-server<\/p>\n

From now on you can use an SSH client such as PuTTY<\/a> and connect from your workstation to your Debian 9 server and follow the remaining steps from this tutorial.<\/p>\n

3 Install a shell text editor (Optional)<\/h2>\n

I’ll\u00a0use <\/span>nano<\/i><\/span> text editor in this tutorial. Some users prefer the classic vi editor, therefore I will install both editors here. The default <\/span>vi<\/span> program has some strange behavior on Debian and Ubuntu; to fix this, we install <\/span>vim-nox<\/span>:<\/span><\/p>\n

apt-get -y install nano vim-nox<\/p>\n

(You don’t have to do this if you use a different text editor such as joe.)<\/p>\n

4 Configure the\u00a0Hostname<\/h2>\n

The hostname of your server should be a subdomain like “server1.example.com”. Do not use a domain name without subdomain part like “example.com” as hostname as this will cause problems later with your mail setup. First, you should check the hostname in\u00a0<\/span>\/etc\/hosts<\/span>\u00a0and change it when necessary. The line should be: “IP Address – space – full hostname incl. domain – space – subdomain part”. E<\/span>dit \/etc\/hosts<\/span>. Make it look like this:<\/p>\n

nano \/etc\/hosts<\/p>\n

127.0.0.1 localhost.localdomain localhost
\n192.168.1.100 server1.example.com server1
\n
\n# The following lines are desirable for IPv6 capable hosts
\n::1 localhost ip6-localhost ip6-loopback
\nff02::1 ip6-allnodes
\nff02::2 ip6-allrouters<\/pre>\n
Then edit the \/etc\/hostname file:<\/p>\n
nano \/etc\/hostname<\/p>\n
It shall contain only the subdomain part, in our case:<\/p>\n
server1<\/pre>\n
Finally,\u00a0reboot the server to apply the change:<\/p>\n
reboot<\/p>\n
Log in again and check if the hostname is correct now with these commands:<\/p>\n
hostname
hostname -f<\/p>\n
The output shall be like this:<\/p>\n
[email\u00a0protected]<\/a>:\/tmp# hostname
server1
[email\u00a0protected]<\/a>:\/tmp# hostname -f
server1.example.com<\/p>\n
5 Update Your Debian Installation<\/h2>\n
First make sure that your \/etc\/apt\/sources.list<\/span> contains the stretch\/updates<\/span> repository (this makes sure you always get the newest updates for the ClamAV virus scanner – this project publishes releases very often, and sometimes old versions stop working), and that the contrib<\/span> and non-free<\/span> repositories are enabled.<\/p>\n
nano \/etc\/apt\/sources.list<\/p>\n
deb http:\/\/ftp.us.debian.org\/debian\/ stretch main contrib non-freedeb-src http:\/\/ftp.us.debian.org\/debian\/ stretch main contrib non-free
deb http:\/\/security.debian.org\/debian-security stretch\/updates main contrib non-freedeb-src http:\/\/security.debian.org\/debian-security stretch\/updates main contrib non-free<\/p><\/pre>\n
IMPORTANT:<\/strong> Add the Debian Backports repository as shown above.<\/p>\n
Run<\/p>\n
apt-get update<\/p>\n
to update the apt package database and<\/p>\n
apt-get upgrade<\/p>\n
to install the latest updates (if there are any).<\/p>\n
6 Change the Default Shell<\/h2>\n
\/bin\/sh<\/span> is a symlink to \/bin\/dash<\/span>, however we need \/bin\/bash<\/span>, not \/bin\/dash<\/span>. Therefore we do this:<\/p>\n
dpkg-reconfigure dash<\/p>\n
Use dash as the default system shell (\/bin\/sh)?<\/span> <– No<\/span><\/p>\n
If you don’t do this, the ISPConfig installation will fail.<\/p>\n
7 Synchronize the System Clock<\/h2>\n
It is a good idea to synchronize the system clock with an NTP (n<\/strong>etwork t<\/strong>ime p<\/strong>rotocol) server over the Internet. Simply run<\/p>\n
apt-get install ntp<\/p>\n
and your system time will always be in sync.<\/p>\n
8 Install Postfix, Dovecot, MySQL, rkhunter and\u00a0binutils<\/h2>\n
We can install Postfix, Dovecot, MySQL, rkhunter, and Binutils with a single command:<\/p>\n
apt-get install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve <\/span>dovecot-lmtpd<\/span>\u00a0sudo<\/span><\/p>\n
You will be asked the following questions:<\/p>\n
General type of mail configuration:<\/span> <– Internet Site<\/span>
System mail name:<\/span> <– server1.example.com<\/span><\/p>\n
To secure the MariaDB \/ MySQL installation and to disable the test database, run this command:<\/p>\n
mysql_secure_installation<\/p>\n
We don’t have to change the MySQL root password as we just set a new one during installation. Answer the questions as follows:<\/p>\n
Change the root password? [Y\/n]\u00a0<\/span><– y<\/span>
New password:\u00a0<\/span><\/span><– Enter a new MySQL root password<\/span>
Re-enter new password:\u00a0<\/span><\/span><– Repeat the MySQL root password<\/span>
Remove anonymous users? [Y\/n]\u00a0<\/span><\/span><– y<\/span>
Disallow root login remotely? [Y\/n]\u00a0<\/span><\/span><– y<\/span>
Remove test database and access to it? [Y\/n]\u00a0<\/span><\/span><– y<\/span>
Reload privilege tables now? [Y\/n]\u00a0<\/span><\/span><– y<\/span><\/p>\n
Next, open the TLS\/SSL and submission ports in Postfix:<\/p>\n
nano \/etc\/postfix\/master.cf<\/p>\n
Uncomment the submission<\/span> and smtps<\/span> sections as follows (leave -o milter_macro_daemon_name=ORIGINATING<\/span> as we don’t need it):<\/p>\n
[...]
\nsubmission inet n - - - - smtpd-o syslog_name=postfix\/submission-o smtpd_tls_security_level=encrypt-o smtpd_sasl_auth_enable=yes-o smtpd_client_restrictions=permit_sasl_authenticated,reject# -o smtpd_reject_unlisted_recipient=no# -o smtpd_client_restrictions=$mua_client_restrictions# -o smtpd_helo_restrictions=$mua_helo_restrictions# -o smtpd_sender_restrictions=$mua_sender_restrictions# -o smtpd_recipient_restrictions=# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject# -o milter_macro_daemon_name=ORIGINATINGsmtps inet n - - - - smtpd-o syslog_name=postfix\/smtps-o smtpd_tls_wrappermode=yes-o smtpd_sasl_auth_enable=yes-o smtpd_client_restrictions=permit_sasl_authenticated,reject# -o smtpd_reject_unlisted_recipient=no# -o smtpd_client_restrictions=$mua_client_restrictions# -o smtpd_helo_restrictions=$mua_helo_restrictions# -o smtpd_sender_restrictions=$mua_sender_restrictions# -o smtpd_recipient_restrictions=# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject# -o milter_macro_daemon_name=ORIGINATING
\n[...]<\/pre>\n
Restart Postfix afterwards:<\/p>\n
service\u00a0postfix restart<\/span><\/p>\n
We want\u00a0MariaDB to listen on all interfaces, not just localhost, therefore we edit \/etc\/mysql\/mariadb.conf.d\/50-server.cnf<\/span>\u00a0and comment out the line bind-address = 127.0.0.1<\/span>\u00a0\u00a0and add the line\u00a0<\/span>sql-mode=”NO_ENGINE_SUBSTITUTION”<\/em>:<\/span><\/p>\n
nano\u00a0\/etc\/mysql\/mariadb.conf.d\/50-server.cnf<\/p>\n
[...]
\n# Instead of skip-networking the default is now to listen only on
\n# localhost which is more compatible and is not less secure.
\n#bind-address = 127.0.0.1
sql-mode=\"NO_ENGINE_SUBSTITUTION\"<\/p>
[...]<\/p><\/pre>\n
Set the password authentication method in MariaDB to native so we can use PHPMyAdmin later to connect as root user:<\/p>\n
echo “update mysql.user set plugin = ‘mysql_native_password’ where user=’root’;” | mysql -u root<\/p>\n
Edit the file\u00a0\/etc\/mysql\/debian.cnf and set the MYSQL \/ MariaDB root password there twice in the rows that start with password.<\/p>\n
nano \/etc\/mysql\/debian.cnf<\/p>\n
The MySQL root password that needs to be added is shown in red, in this example, the password is “howtoforge”.<\/p>\n
# Automatically generated for Debian scripts. DO NOT TOUCH!
[client]
host = localhost
user = root
password =\u00a0howtoforge<\/span>
socket = \/var\/run\/mysqld\/mysqld.sock
[mysql_upgrade]
host = localhost
user = root
password =\u00a0<\/span>howtoforge<\/span>
socket = \/var\/run\/mysqld\/mysqld.sock
basedir = \/usr<\/p>\n
To prevent the error ‘Error in accept: Too many open files<\/em><\/strong>‘ we will set higher open file limits for MariaDB now.<\/p>\n
Open the file \/etc\/security\/limits.conf with an editor:<\/p>\n
nano \/etc\/security\/limits.conf<\/p>\n
and add these lines at the end of the file.<\/p>\n
mysql soft nofile 65535mysql hard nofile 65535<\/pre>\n
Next, create a new directory\u00a0\/etc\/systemd\/system\/mysql.service.d\/ with the mkdir command.<\/p>\n
mkdir -p\u00a0\/etc\/systemd\/system\/mysql.service.d\/<\/p>\n
and add a new file inside:<\/p>\n
nano \/etc\/systemd\/system\/mysql.service.d\/limits.conf<\/p>\n
paste the following lines into that file:<\/p>\n
[Service]LimitNOFILE=infinity<\/pre>\n
Save the file and close the nano editor.<\/p>\n
Then we reload systemd and restart MariaDB:<\/p>\n
systemctl daemon-reload
service mysql restart<\/p>\n
Now check that networking is enabled. Run<\/p>\n
netstat -tap | grep mysql<\/p>\n
The output should look like this:<\/p>\n
[email\u00a0protected]<\/a>:~#\u00a0netstat\u00a0-tap\u00a0|\u00a0grep\u00a0mysql
tcp6\u00a0 \u00a0 \u00a0 \u00a00\u00a0 \u00a0 \u00a0 0 [::]:mysql\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 [::]:*\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 LISTEN\u00a0 \u00a0 \u00a0 4027\/mysqld
[email\u00a0protected]<\/a>:~#<\/p>\n
9 Install Amavisd-new, SpamAssassin, and ClamAV<\/h2>\n
To install amavisd-new, SpamAssassin, and ClamAV, we run:<\/p>\n
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl\u00a0<\/span>libdbd-mysql-perl<\/span>\u00a0<\/span>postgrey<\/span><\/p>\n
The ISPConfig 3 setup uses amavisd which loads the SpamAssassin filter library internally, so we can stop SpamAssassin to free up some RAM:<\/p>\n
service\u00a0spamassassin stop<\/span>
systemctl disable spamassassin<\/span><\/p>\n
9.1 Install Metronome XMPP Server (optional)<\/h2>\n
This step installs the Metronome XMPP Server which provides a chat server that is compatible with the XMPP protocol. This step is optional, if you do not need a chat server, then you can skip this step. No other ISPConfig functions depend on this software.<\/p>\n
Add the Prosody package repository in Debian.<\/p>\n
echo “deb http:\/\/packages.prosody.im\/debian\u00a0stretch main” > \/etc\/apt\/sources.list.d\/metronome.list
wget http:\/\/prosody.im\/files\/prosody-debian-packages.key -O – | sudo apt-key add –<\/p>\n
Update the package list:<\/p>\n
apt-get update<\/p>\n
Install the programs that are required for the build process<\/p>\n
apt-get install build-essential<\/p>\n
and install the packages with apt.<\/p>\n
apt-get install git lua5.1 liblua5.1-0-dev lua-filesystem\u00a0libidn11-dev libssl-dev lua-zlib lua-expat lua-event lua-bitop lua-socket lua-sec luarocks\u00a0luarocks<\/p>\n
luarocks install lpc<\/p>\n
Add a shell user for Metronome.<\/p>\n
adduser –no-create-home –disabled-login –gecos ‘Metronome’ metronome<\/p>\n
Download Metronome to the \/opt directory and compile it.<\/p>\n
cd \/opt; git clone https:\/\/github.com\/maranda\/metronome.git metronome
cd .\/metronome; .\/configure –ostype=debian –prefix=\/usr
make
make install<\/p>\n
Metronome has now be installed to \/opt\/metronome.<\/p>\n