You are on page 1of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.

04) [ISPConfig 2]

By Falko Timme Published: 2009-04-23 08:32

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]


Version 1.0 Author: Falko Timme <ft [at] falkotimme [dot] com> Last edited 04/23/2009 This tutorial shows how to set up an Ubuntu Jaunty Jackalope (Ubuntu 9.04) server that offers all services needed by ISPs and hosters: Apache web server (SSL-capable), Postfix mail server with SMTP-AUTH and TLS, BIND DNS server, Proftpd FTP server, MySQL server, Courier POP3/IMAP, Quota, Firewall, etc. In the end you should have a system that works reliably, and if you like you can install the free webhosting control panel ISPConfig 2 (i.e., ISPConfig runs on it out of the box). I will use the following software: - Web Server: Apache 2.2 with PHP 5.2.6, Python, Ruby, and WebDAV - Database Server: MySQL 5.0 - Mail Server: Postfix - DNS Server: BIND9 - FTP Server: proftpd - POP3/IMAP: I will use Maildir format and therefore install Courier-POP3/Courier-IMAP. - Webalizer for web site statistics
Please note that this setup does not work for ISPConfig 3!

It is valid for ISPConfig 2 only!

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

1 Requirements

Copyright 2009 All Rights Reserved.

HowtoForge

Page 1 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

To install such a system you will need the following: - the Ubuntu 9.04 server CD, available here: ftp://releases.ubuntu.com/releases/9.04/ubuntu-9.04-server-i386.iso (i386) or ftp://releases.ubuntu.com/releases/9.04/ubuntu-9.04-server-amd64.iso (x86_64) - a fast Internet connection.

2 Preliminary Note
In this tutorial I use the hostname server1.example.com with the IP address 192.168.0.100 and the gateway 192.168.0.1. These settings might differ for you, so you have to replace them where appropriate.

3 The Base System


Insert your Ubuntu install CD into your system and boot from it. Select your language:

Copyright 2009 All Rights Reserved.

HowtoForge

Page 2 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

Then select Install Ubuntu Server:

Copyright 2009 All Rights Reserved.

HowtoForge

Page 3 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

Choose your language again (?):

Copyright 2009 All Rights Reserved.

HowtoForge

Page 4 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

Then select your location:

Copyright 2009 All Rights Reserved.

HowtoForge

Page 5 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

Copyright 2009 All Rights Reserved.

HowtoForge

Page 6 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

Copyright 2009 All Rights Reserved.

HowtoForge

Page 7 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

Choose a keyboard layout (you will be asked to press a few keys, and the installer will try to detect your keyboard layout based on the keys you pressed):

Copyright 2009 All Rights Reserved.

HowtoForge

Page 8 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

Copyright 2009 All Rights Reserved.

HowtoForge

Page 9 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

The installer checks the installation CD, your hardware, and configures the network with DHCP if there is a DHCP server in the network:

Copyright 2009 All Rights Reserved.

HowtoForge

Page 10 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

Copyright 2009 All Rights Reserved.

HowtoForge

Page 11 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

Enter the hostname. In this example, my system is called server1.example.com, so I enter server1:

Copyright 2009 All Rights Reserved.

HowtoForge

Page 12 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

Now you have to partition your hard disk. For simplicity's sake I select Guided - use entire disk and set up LVM - this will create one volume group with two logical volumes, one for the / file system and another one for swap (of course, the partitioning is totally up to you - if you know what you're doing, you can also set up your partitions manually).

Copyright 2009 All Rights Reserved.

HowtoForge

Page 13 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

Select the disk that you want to partition:

Copyright 2009 All Rights Reserved.

HowtoForge

Page 14 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

When you're asked Write the changes to disks and configure LVM?, select Yes:

Copyright 2009 All Rights Reserved.

HowtoForge

Page 15 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

If you have selected Guided - use entire disk and set up LVM, the partitioner will create one big volume group that uses all the disk space. You can now specify how much of that disk space should be used by the logical volumes for / and swap. It makes sense to leave some space unused so that you can later on expand your existing logical volumes or create new ones - this gives you more flexibility.

Copyright 2009 All Rights Reserved.

HowtoForge

Page 16 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

When you're finished, hit Yes when you're asked Write the changes to disks?:

Copyright 2009 All Rights Reserved.

HowtoForge

Page 17 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

Afterwards, your new partitions are being created and formatted:

Copyright 2009 All Rights Reserved.

HowtoForge

Page 18 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

Now the base system is being installed:

Copyright 2009 All Rights Reserved.

HowtoForge

Page 19 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

Create a user, for example the user Administrator with the user name administrator (don't use the user name admin as it is a reserved name on Ubuntu 9.04):

Copyright 2009 All Rights Reserved.

HowtoForge

Page 20 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

Copyright 2009 All Rights Reserved.

HowtoForge

Page 21 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

Copyright 2009 All Rights Reserved.

HowtoForge

Page 22 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

Copyright 2009 All Rights Reserved.

HowtoForge

Page 23 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

I don't need an encrypted private directory, so I choose No here:

Copyright 2009 All Rights Reserved.

HowtoForge

Page 24 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

Next the package manager apt gets configured. Leave the HTTP proxy line empty unless you're using a proxy server to connect to the Internet:

Copyright 2009 All Rights Reserved.

HowtoForge

Page 25 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

Copyright 2009 All Rights Reserved.

HowtoForge

Page 26 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

I'm a little bit old-fashioned and like to update my servers manually to have more control, therefore I select No automatic updates. Of course, it's up to you what you select here:

Copyright 2009 All Rights Reserved.

HowtoForge

Page 27 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

We need a DNS, mail, and LAMP server, but nevertheless I don't select any of them now because I like to have full control over what gets installed on my system. We will install the needed packages manually later on. The only item I select here is OpenSSH server so that I can immediately connect to the system with an SSH client such as PuTTY after the installation has finished:

Copyright 2009 All Rights Reserved.

HowtoForge

Page 28 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

The installation continues:

Copyright 2009 All Rights Reserved.

HowtoForge

Page 29 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

The GRUB boot loader gets installed:

Copyright 2009 All Rights Reserved.

HowtoForge

Page 30 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

The base system installation is now finished. Remove the installation CD from the CD drive and hit Continue to reboot the system:

Copyright 2009 All Rights Reserved.

HowtoForge

Page 31 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

On to the next step...

4 Get root Privileges


Copyright 2009 All Rights Reserved. HowtoForge Page 32 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

After the reboot you can login with your previously created username (e.g. administrator). Because we must run all the steps from this tutorial with root privileges, we can either prepend all commands in this tutorial with the string sudo, or we become root right now by typing
sudo su

(You can as well enable the root login by running


sudo passwd root

and giving root a password. You can then directly log in as root, but this is frowned upon by the Ubuntu developers and community for various reasons. See http://ubuntuforums.org/showthread.php?t=765414.)

5 Install The SSH Server (Optional)


If you did not install the OpenSSH server during the system installation, you can do it now:
aptitude install ssh openssh-server

From now on you can use an SSH client such as PuTTY and connect from your workstation to your Ubuntu 9.04 server and follow the remaining steps from this tutorial.

6 Install vim-nox (Optional)


I'll use vi as my text editor in this tutorial. The default vi program has some strange behaviour on Ubuntu and Debian; to fix this, we install vim-nox:
aptitude install vim-nox

(You don't have to do this if you use a different text editor such as joe or nano.)

Copyright 2009 All Rights Reserved.

HowtoForge

Page 33 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

7 Configure The Network


Because the Ubuntu installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.0.100):
vi /etc/network/interfaces

# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5).

# The loopback network interface auto lo iface lo inet loopback

# The primary network interface auto eth0 iface eth0 inet static address 192.168.0.100 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 gateway 192.168.0.1

Then restart your network:


/etc/init.d/networking restart

Then edit /etc/hosts. Make it look like this:

Copyright 2009 All Rights Reserved.

HowtoForge

Page 34 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2] vi /etc/hosts

http://www.howtoforge.com/

127.0.0.1

localhost.localdomain localhost server1

192.168.0.100 server1.example.com

# The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback

fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts

Now run
echo server1.example.com > /etc/hostname

/etc/init.d/hostname.sh start

Afterwards, run
hostname

hostname -f

Both should show server1.example.com now.

8 Edit /etc/apt/sources.list And Update Your Linux Installation


Copyright 2009 All Rights Reserved. HowtoForge Page 35 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

Edit /etc/apt/sources.list. Comment out or remove the installation CD from the file and make sure that the universe and multiverse repositories are enabled. It should look like this:
vi /etc/apt/sources.list

# # deb cdrom:[Ubuntu-Server 9.04 _Jaunty Jackalope_ - Release amd64 (20090421.1)]/ jaunty main restricted

#deb cdrom:[Ubuntu-Server 9.04 _Jaunty Jackalope_ - Release amd64 (20090421.1)]/ jaunty main restricted # See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to # newer versions of the distribution.

deb http://de.archive.ubuntu.com/ubuntu/ jaunty main restricted deb-src http://de.archive.ubuntu.com/ubuntu/ jaunty main restricted

## Major bug fix updates produced after the final release of the ## distribution. deb http://de.archive.ubuntu.com/ubuntu/ jaunty-updates main restricted deb-src http://de.archive.ubuntu.com/ubuntu/ jaunty-updates main restricted

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu ## team. Also, please note that software in universe WILL NOT receive any ## review or updates from the Ubuntu security team. deb http://de.archive.ubuntu.com/ubuntu/ jaunty universe deb-src http://de.archive.ubuntu.com/ubuntu/ jaunty universe deb http://de.archive.ubuntu.com/ubuntu/ jaunty-updates universe deb-src http://de.archive.ubuntu.com/ubuntu/ jaunty-updates universe

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu ## team, and may not be under a free licence. Please satisfy yourself as to ## your rights to use the software. Also, please note that software in

Copyright 2009 All Rights Reserved.

HowtoForge

Page 36 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2] ## multiverse WILL NOT receive any review or updates from the Ubuntu ## security team. deb http://de.archive.ubuntu.com/ubuntu/ jaunty multiverse deb-src http://de.archive.ubuntu.com/ubuntu/ jaunty multiverse deb http://de.archive.ubuntu.com/ubuntu/ jaunty-updates multiverse deb-src http://de.archive.ubuntu.com/ubuntu/ jaunty-updates multiverse

http://www.howtoforge.com/

## Uncomment the following two lines to add software from the 'backports' ## repository. ## N.B. software from this repository may not have been tested as ## extensively as that contained in the main release, although it includes ## newer versions of some applications which may provide useful features. ## Also, please note that software in backports WILL NOT receive any review ## or updates from the Ubuntu security team. # deb http://de.archive.ubuntu.com/ubuntu/ jaunty-backports main restricted universe multiverse # deb-src http://de.archive.ubuntu.com/ubuntu/ jaunty-backports main restricted universe multiverse

## Uncomment the following two lines to add software from Canonical's ## 'partner' repository. ## This software is not part of Ubuntu, but is offered by Canonical and the ## respective vendors as a service to Ubuntu users. # deb http://archive.canonical.com/ubuntu jaunty partner # deb-src http://archive.canonical.com/ubuntu jaunty partner

deb http://security.ubuntu.com/ubuntu jaunty-security main restricted deb-src http://security.ubuntu.com/ubuntu jaunty-security main restricted deb http://security.ubuntu.com/ubuntu jaunty-security universe deb-src http://security.ubuntu.com/ubuntu jaunty-security universe deb http://security.ubuntu.com/ubuntu jaunty-security multiverse deb-src http://security.ubuntu.com/ubuntu jaunty-security multiverse

Then run

Copyright 2009 All Rights Reserved.

HowtoForge

Page 37 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2] aptitude update

http://www.howtoforge.com/

to update the apt package database and


aptitude safe-upgrade

to install the latest updates (if there are any). If you see that a new kernel gets installed as part of the updates, you should reboot the system afterwards:
reboot

9 Change The Default Shell


/bin/sh

is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore we do this:

dpkg-reconfigure dash

Install dash as /bin/sh? <-- No

If you don't do this, the ISPConfig installation will fail.

10 Disable AppArmor
AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on). We can disable it like this:

Copyright 2009 All Rights Reserved.

HowtoForge

Page 38 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2] /etc/init.d/apparmor stop

http://www.howtoforge.com/

update-rc.d -f apparmor remove

aptitude remove apparmor apparmor-utils

11 Install Some Software


Now we install a few packages that are needed later on. Run
aptitude install binutils cpp fetchmail flex gcc libarchive-zip-perl libc6-dev libcompress-zlib-perl libdb4.6-dev libpcre3 libpopt-dev lynx m4 make ncftp nmap openssl perl perl-modules unzip zip zlib1g-dev autoconf automake1.9 libtool bison autotools-dev g++ build-essential

(This command must go into one line!)

12 Quota
(If you have chosen a different partitioning scheme than I did, you must adjust this chapter so that quota applies to the partitions where you need it.)

To install quota, run


aptitude install quota

Edit /etc/fstab. Mine looks like this (I added ,usrquota,grpquota to the partition with the mount point /):
vi /etc/fstab

# /etc/fstab: static file system information.

Copyright 2009 All Rights Reserved.

HowtoForge

Page 39 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2] # # Use 'vol_id --uuid' to print the universally unique identifier for a # device; this may be used with UUID= as a more robust way to name devices # that works even if disks are added and removed. See fstab(5). # # <file system> <mount point> <type> <options> proc /proc proc defaults 0 0 <dump> <pass>

http://www.howtoforge.com/

# / was on /dev/mapper/server1-root during installation UUID=b8d265bc-5959-404d-a68e-8dc1c76f18d6 / # /boot was on /dev/sda5 during installation UUID=01e9c3c7-2ad0-4f52-a356-18290517b362 /boot ext2 relatime 0 2 ext3 relatime,errors=remount-ro,usrquota,grpquota 0 1

# swap was on /dev/mapper/server1-swap_1 during installation UUID=c1e0bcbb-5c73-4bd2-a7b2-8beeb7526200 none /dev/scd0 /dev/fd0 swap sw 0 0 0 0

/media/cdrom0 udf,iso9660 user,noauto,exec,utf8 0 /media/floppy0 auto rw,user,noauto,exec,utf8 0

To enable quota, run these commands:


touch /quota.user /quota.group

chmod 600 /quota.*

mount -o remount /

quotacheck -avugm

quotaon -avug

13 DNS Server

Copyright 2009 All Rights Reserved.

HowtoForge

Page 40 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

Run
aptitude install bind9

For security reasons we want to run BIND chrooted so we have to do the following steps:
/etc/init.d/bind9 stop

Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user bind, chrooted to /var/lib/named. Modify the line: OPTIONS="-u bind" so that it reads OPTIONS="-u bind -t /var/lib/named":
vi /etc/default/bind9

# run resolvconf? RESOLVCONF=yes

# startup options for the server OPTIONS="-u bind -t /var/lib/named"

Create the necessary directories under /var/lib:


mkdir -p /var/lib/named/etc

mkdir /var/lib/named/dev

mkdir -p /var/lib/named/var/cache/bind

mkdir -p /var/lib/named/var/run/bind/run

Copyright 2009 All Rights Reserved.

HowtoForge

Page 41 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

Then move the config directory from /etc to /var/lib/named/etc:


mv /etc/bind /var/lib/named/etc

Create a symlink to the new config directory from the old location (to avoid problems when bind gets updated in the future):
ln -s /var/lib/named/etc/bind /etc/bind

Make null and random devices, and fix permissions of the directories:
mknod /var/lib/named/dev/null c 1 3

mknod /var/lib/named/dev/random c 1 8

chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random

chown -R bind:bind /var/lib/named/var/*

chown -R bind:bind /var/lib/named/etc/bind

We need to modify /etc/default/syslogd so that we can still get important messages logged to the system logs. Modify the line: SYSLOGD="" so that it reads: SYSLOGD="-a /var/lib/named/dev/log":
vi /etc/default/syslogd

# # Top configuration file for syslogd #

Copyright 2009 All Rights Reserved.

HowtoForge

Page 42 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

# # Full documentation of possible arguments are found in the manpage # syslogd(8). #

# # For remote UDP logging use SYSLOGD="-r" # SYSLOGD="-a /var/lib/named/dev/log"

Restart the logging daemon:


/etc/init.d/sysklogd restart

Start up BIND, and check /var/log/syslog for errors:


/etc/init.d/bind9 start

14 MySQL
In order to install MySQL, we run
aptitude install mysql-server mysql-client libmysqlclient15-dev

You will be asked to provide a password for the MySQL root user - this password is valid for the user root@localhost as well as root@server1.example.com, so we don't have to specify a MySQL root password manually later on:
New password for the MySQL "root" user: <-- yourrootsqlpassword

Copyright 2009 All Rights Reserved.

HowtoForge

Page 43 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

Repeat password for the MySQL "root" user: <-- yourrootsqlpassword

We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:
vi /etc/mysql/my.cnf

[...] # Instead of skip-networking the default is now to listen only on # localhost which is more compatible and is not less secure. #bind-address [...] = 127.0.0.1

Then we restart MySQL:


/etc/init.d/mysql restart

Now check that networking is enabled. Run


netstat -tap | grep mysql

The output should look like this:


root@server1:~# netstat -tap | grep mysql tcp 0 0 *:mysql root@server1:~#

*:*

LISTEN

4318/mysqld

15 Postfix With SMTP-AUTH And TLS


Copyright 2009 All Rights Reserved. HowtoForge Page 44 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

In order to install Postfix with SMTP-AUTH and TLS do the following steps:
aptitude install postfix libsasl2-2 sasl2-bin libsasl2-modules procmail

You will be asked two questions. Answer as follows:


General type of mail configuration: <-- Internet Site System mail name: <-- server1.example.com

Then run
dpkg-reconfigure postfix

Again, you'll be asked some questions:


General type of mail configuration: <-- Internet Site System mail name: <-- server1.example.com Root and postmaster mail recipient: <-- [blank] Other destinations to accept mail for (blank for none): <-- server1.example.com, localhost.example.com, localhost.localdomain, localhost Force synchronous updates on mail queue? <-- No Local networks: <-- 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 Use procmail for local delivery? <-- Yes Mailbox size limit (bytes): <-- 0 Local address extension character: <-- + Internet protocols to use: <-- all

Next, do this:
postconf -e 'smtpd_sasl_local_domain ='

postconf -e 'smtpd_sasl_auth_enable = yes'

Copyright 2009 All Rights Reserved.

HowtoForge

Page 45 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

postconf -e 'smtpd_sasl_security_options = noanonymous'

postconf -e 'broken_sasl_auth_clients = yes'

postconf -e 'smtpd_sasl_authenticated_header = yes'

postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'

postconf -e 'inet_interfaces = all'

echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf

echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf

Afterwards we create the certificates for TLS:


mkdir /etc/postfix/ssl

cd /etc/postfix/ssl/

openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

chmod 600 smtpd.key

openssl req -new -key smtpd.key -out smtpd.csr

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

Copyright 2009 All Rights Reserved.

HowtoForge

Page 46 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2] openssl rsa -in smtpd.key -out smtpd.key.unencrypted

http://www.howtoforge.com/

mv -f smtpd.key.unencrypted smtpd.key

openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Next we configure Postfix for TLS (make sure that you use the correct hostname for myhostname):
postconf -e 'myhostname = server1.example.com'

postconf -e 'smtpd_tls_auth_only = no'

postconf -e 'smtp_use_tls = yes'

postconf -e 'smtpd_use_tls = yes'

postconf -e 'smtp_tls_note_starttls_offer = yes'

postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'

postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'

postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'

postconf -e 'smtpd_tls_loglevel = 1'

postconf -e 'smtpd_tls_received_header = yes'

postconf -e 'smtpd_tls_session_cache_timeout = 3600s'

Copyright 2009 All Rights Reserved.

HowtoForge

Page 47 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2] postconf -e 'tls_random_source = dev:/dev/urandom'

http://www.howtoforge.com/

The file /etc/postfix/main.cf should now look like this:


cat /etc/postfix/main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no

# appending .domain is the MUA's job. append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h

readme_directory = no

# TLS parameters smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_use_tls = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

Copyright 2009 All Rights Reserved.

HowtoForge

Page 48 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2] smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

http://www.howtoforge.com/

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client.

myhostname = server1.example.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = server1.example.com, localhost.example.com, localhost.localdomain, localhost relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all smtpd_sasl_local_domain = smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination smtpd_tls_auth_only = no smtp_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom

Copyright 2009 All Rights Reserved.

HowtoForge

Page 49 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

Authentication will be done by saslauthd. We have to change a few things to make it work properly. Because Postfix runs chrooted in /var/spool/postfix we have to do the following:
mkdir -p /var/spool/postfix/var/run/saslauthd

Now we have to edit /etc/default/saslauthd in order to activate saslauthd. Set START to yes and change the line OPTIONS="-c -m /var/run/saslauthd" to OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r":
vi /etc/default/saslauthd

# Settings for saslauthd daemon # Please read /usr/share/doc/sasl2-bin/README.Debian for details. #

# Should saslauthd run automatically on startup? (default: no) START=yes

# Description of this saslauthd instance. Recommended. # (suggestion: SASL Authentication Daemon) DESC="SASL Authentication Daemon"

# Short name of this saslauthd instance. Strongly recommended. # (suggestion: saslauthd) NAME="saslauthd"

# Which authentication mechanisms should saslauthd use? (default: pam) # # Available options in this Debian package: # getpwent -- use the getpwent() library function # kerberos5 -- use Kerberos 5

Copyright 2009 All Rights Reserved.

HowtoForge

Page 50 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2] # pam # rimap # shadow # sasldb # ldap # # Only one option may be used at a time. See the saslauthd man page # for more information. # # Example: MECHANISMS="pam" MECHANISMS="pam" -- use PAM -- use a remote IMAP server -- use the local shadow password file -- use the local sasldb database file -- use LDAP (configuration is in /etc/saslauthd.conf)

http://www.howtoforge.com/

# Additional options for this mechanism. (default: none) # See the saslauthd man page for information about mech-specific options. MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5) # A value of 0 will fork a new process for each connection. THREADS=5

# Other options (default: -c -m /var/run/saslauthd) # Note: You MUST specify the -m option or saslauthd won't run! # # WARNING: DO NOT SPECIFY THE -d OPTION. # The -d option will cause saslauthd to run in the foreground instead of as # a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish # to run saslauthd in debug mode, please run it by hand to be safe. # # See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information. # See the saslauthd man page and the output of 'saslauthd -h' for general # information about these options. # # Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"

Copyright 2009 All Rights Reserved.

HowtoForge

Page 51 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2] #OPTIONS="-c -m /var/run/saslauthd" OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

http://www.howtoforge.com/

Next add the postfix user to the sasl group (this makes sure that Postfix has the permission to access saslauthd):
adduser postfix sasl

Now restart Postfix and start saslauthd:


/etc/init.d/postfix restart

/etc/init.d/saslauthd start

To see if SMTP-AUTH and TLS work properly now run the following command:
telnet localhost 25

After you have established the connection to your Postfix mail server type
ehlo localhost

If you see the lines


250-STARTTLS

and
250-AUTH LOGIN PLAIN

Copyright 2009 All Rights Reserved.

HowtoForge

Page 52 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

everything is fine. The output on my system looks like this:


root@server1:/etc/postfix/ssl# telnet localhost 25 Trying ::1... Connected to localhost.localdomain. Escape character is '^]'. 220 server1.example.com ESMTP Postfix (Ubuntu) ehlo localhost 250-server1.example.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN quit 221 2.0.0 Bye Connection closed by foreign host. root@server1:/etc/postfix/ssl#

Type
quit

to return to the system's shell.

Copyright 2009 All Rights Reserved.

HowtoForge

Page 53 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

16 Courier-IMAP/Courier-POP3
Run this to install Courier-IMAP/Courier-IMAP-SSL (for IMAPs on port 993) and Courier-POP3/Courier-POP3-SSL (for POP3s on port 995):
aptitude install courier-authdaemon courier-base courier-imap courier-imap-ssl courier-pop courier-pop-ssl courier-ssl gamin libgamin0

libglib2.0-0

You will be asked two questions:


Create directories for web-based administration? <-- No SSL certificate required <-- Ok

During the installation, the SSL certificates for IMAP-SSL and POP3-SSL are created with the hostname localhost. To change this to the correct hostname (server1.example.com in this tutorial), delete the certificates...
cd /etc/courier

rm -f /etc/courier/imapd.pem

rm -f /etc/courier/pop3d.pem

... and modify the following two files; replace CN=localhost with CN=server1.example.com (you can also modify the other values, if necessary):
vi /etc/courier/imapd.cnf

[...] CN=server1.example.com [...]

Copyright 2009 All Rights Reserved.

HowtoForge

Page 54 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2] vi /etc/courier/pop3d.cnf

http://www.howtoforge.com/

[...] CN=server1.example.com [...]

Then recreate the certificates...


mkimapdcert

mkpop3dcert

... and restart Courier-IMAP-SSL and Courier-POP3-SSL:


/etc/init.d/courier-imap-ssl restart

/etc/init.d/courier-pop-ssl restart

If you do not want to use ISPConfig, configure Postfix to deliver emails to a user's Maildir*:
postconf -e 'home_mailbox = Maildir/'

postconf -e 'mailbox_command ='

/etc/init.d/postfix restart

*Please note: You do not have to do this if you intend to use ISPConfig on your system as ISPConfig does the necessary configuration using procmail

Copyright 2009 All Rights Reserved.

HowtoForge

Page 55 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

recipes. But please go sure to enable Maildir under Management -> Server -> Settings -> EMail in the ISPConfig web interface.

17 Apache/PHP5/Ruby/Python/WebDAV
Now we install Apache:
aptitude install apache2 apache2-doc apache2-mpm-prefork apache2-utils apache2-suexec libexpat1 ssl-cert

Next we install PHP5, Ruby, and Python (all three as Apache modules):
aptitude install libapache2-mod-php5 libapache2-mod-ruby libapache2-mod-python php5 php5-common php5-curl php5-dev php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-mysql php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy

php5-xmlrpc php5-xsl

Next we edit /etc/apache2/mods-available/dir.conf:


vi /etc/apache2/mods-available/dir.conf

and change the DirectoryIndex line:

<IfModule mod_dir.c>

#DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3 index.pl index.xhtml

</IfModule>

Now we have to enable some Apache modules (SSL, rewrite, suexec, include, and WebDAV):

Copyright 2009 All Rights Reserved.

HowtoForge

Page 56 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2] a2enmod ssl

http://www.howtoforge.com/

a2enmod rewrite

a2enmod suexec

a2enmod include

a2enmod dav_fs

a2enmod dav

Restart Apache:
/etc/init.d/apache2 restart

We have to fix a small problem with Ruby. If you install ISPConfig and enable Ruby for a web site, .rbx files will be executed fine and displayed in the browser, but this does not work for .rb files - you will be prompted to download the .rb file - the same happens if you configure Ruby manually for a vhost (i.e., it has nothing to do with ISPConfig). To fix this, we open /etc/mime.types...
vi /etc/mime.types

... and comment out the application/x-ruby line:

[...] #application/x-ruby [...] rb

Copyright 2009 All Rights Reserved.

HowtoForge

Page 57 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

Restart Apache:
/etc/init.d/apache2 restart

Now .rb files will be executed and displayed in the browser, just like .rbx files. In the next chapter (17.1) we are going to disable PHP (this is necessary only if you want to install ISPConfig on this server). Unlike PHP, Ruby and Python are disabled by default, therefore we don't have to do it.

17.1 Disable PHP Globally


(If you do not plan to install ISPConfig on this server, please skip this section!)

In ISPConfig you will configure PHP on a per-website basis, i.e. you can specify which website can run PHP scripts and which one cannot. This can only work if PHP is disabled globally because otherwise all websites would be able to run PHP scripts, no matter what you specify in ISPConfig. To disable PHP globally, we edit /etc/mime.types and comment out the application/x-httpd-php lines:
vi /etc/mime.types

[...] #application/x-httpd-php #application/x-httpd-php-source #application/x-httpd-php3 #application/x-httpd-php3-preprocessed #application/x-httpd-php4 [...] php4 phtml pht php phps php3 php3p

Edit /etc/apache2/mods-enabled/php5.conf and comment out the following lines:

Copyright 2009 All Rights Reserved.

HowtoForge

Page 58 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2] vi /etc/apache2/mods-enabled/php5.conf

http://www.howtoforge.com/

<IfModule mod_php5.c> # AddType application/x-httpd-php .php .phtml .php3 # AddType application/x-httpd-php-source .phps </IfModule>

Then restart Apache:


/etc/init.d/apache2 restart

18 Proftpd
In order to install Proftpd, run
aptitude install proftpd ucf

You will be asked a question:


Run proftpd: <-- standalone

For security reasons add the following lines to /etc/proftpd/proftpd.conf (thanks to Reinaldo Carvalho; more information can be found here: http://proftpd.org/localsite/Userguide/linked/userguide.html):
vi /etc/proftpd/proftpd.conf

Copyright 2009 All Rights Reserved.

HowtoForge

Page 59 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2] [...] DefaultRoot ~ IdentLookups off ServerIdent on "FTP Server ready." [...]

http://www.howtoforge.com/

ISPConfig expects the configuration to be in /etc/proftpd.conf instead of /etc/proftpd/proftpd.conf, therefore we create a symlink (you can skip this command if you don't want to install ISPConfig):
ln -s /etc/proftpd/proftpd.conf /etc/proftpd.conf

Then restart Proftpd:


/etc/init.d/proftpd restart

19 Webalizer
To install webalizer, just run
aptitude install webalizer

20 Synchronize the System Clock


It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the internet. Simply run
aptitude install ntp ntpdate

and your system time will always be in sync.

Copyright 2009 All Rights Reserved.

HowtoForge

Page 60 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

21 Install Some Perl Modules Needed By SpamAssassin (Comes With ISPConfig)


Run
aptitude install libhtml-parser-perl libdb-file-lock-perl libnet-dns-perl

22 ISPConfig
The configuration of the server is now finished, and if you wish you can now install ISPConfig on it. Please check out the ISPConfig installation manual: http://www.ispconfig.org/manual_installation.htm

22.1 A Note On SuExec


If you want to run CGI scripts under suExec, you should specify /var/www as the home directory for websites created by ISPConfig as Ubuntu's suExec is compiled with /var/www as Doc_Root. Run
/usr/lib/apache2/suexec -V

and the output should look like this:


root@server1:~# /usr/lib/apache2/suexec -V -D AP_DOC_ROOT="/var/www" -D AP_GID_MIN=100 -D AP_HTTPD_USER="www-data" -D AP_LOG_EXEC="/var/log/apache2/suexec.log" -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin" -D AP_UID_MIN=100 -D AP_USERDIR_SUFFIX="public_html" root@server1:~#

So if you want to use suExec with ISPconfig, don't change the default web root (which is /var/www) if you use expert mode during the ISPConfig

Copyright 2009 All Rights Reserved.

HowtoForge

Page 61 of 62

The Perfect Server - Ubuntu Jaunty Jackalope (Ubuntu 9.04) [ISPConfig 2]

http://www.howtoforge.com/

installation (in standard mode you can't change the web root anyway so you'll be able to use suExec in any case).

23 Links
- Ubuntu: http://www.ubuntu.com - ISPConfig: http://www.ispconfig.org

Copyright 2009 All Rights Reserved.

HowtoForge

Page 62 of 62