Créer un serveur web, mail et DNS avec ISPConfig 3.1 sur Debian 9 (Stretch)
Objectif
Nous allons partir d’une installation minimale de Debian 9 (une machine virtuelle sous ProxMox 5 dans mon cas) et mettre en place un serveur complet pour héberger vos sites, bases de données, mail et DNS. Pour ça, nous allons utiliser Apache, MariaDB, Dovecot, BIND, PureFTPD et d’autres.
Prérequis
- Un serveur sous Debian 9 (Stretch)
- Un accès SSH avec les droits « root »
C’est parti !
apt-get update && apt-get upgrade
nano /etc/hosts
127.0.0.1 localhost.localadmin localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
# --- BEGIN PVE ---
10.10.10.150 srv88.miloose.test srv88
# --- END PVE ---
On redémarre le serveur pour que les modifications soient prise en compte.
reboot
root@srv88:/home/miloose# hostname
srv88
root@srv88:/home/miloose# hostname -f
srv88.miloose.test
nano /etc/apt/sources.list
deb http://ftp.fr.debian.org/debian/ stretch main contrib non-free
deb-src http://ftp.fr.debian.org/debian/ stretch main contrib non-free
deb http://security.debian.org/debian-security stretch/updates main contrib non-free
deb-src http://security.debian.org/debian-security stretch/updates main contrib non-free
apt-get update && apt-get upgrade
dpkg-reconfigure dash
apt-get install ntp
apt-get install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd sudo
mysql_secure_installation
nano /etc/postfix/master.cf
[...]
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
[...]
service postfix restart
nano /etc/mysql/mariadb.conf.d/50-server.cnf
[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address = 127.0.0.1
sql-mode="NO_ENGINE_SUBSTITUTION"
[...]
echo "update mysql.user set plugin = 'mysql_native_password' where user='root';" | mysql -u root
nano /etc/mysql/debian.cnf
# Automatically generated for Debian scripts. DO NOT TOUCH!
[client]
host = localhost
user = root
password = sqlrootpasswd
socket = /var/run/mysqld/mysqld.sock
[mysql_upgrade]
host = localhost
user = root
password = sqlrootpasswd
socket = /var/run/mysqld/mysqld.sock
basedir = /usr
service mysql restart
netstat -tap | grep mysql
root@srv88:/home/miloose# netstat -tap | grep mysql
tcp6 0 0 [::]:mysql [::]:* LISTEN 13074/mysqld
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl libdbd-mysql-perl postgrey
service spamassassin stop
systemctl disable spamassassin
apt-get install apache2 apache2-doc apache2-utils libapache2-mod-php php7.0 php7.0-common php7.0-gd php7.0-mysql php7.0-imap phpmyadmin php7.0-cli php7.0-cgi libapache2-mod-fcgid apache2-suexec-pristine php-pear php7.0-mcrypt mcrypt imagemagick libruby libapache2-mod-python php7.0-curl php7.0-intl php7.0-pspell php7.0-recode php7.0-sqlite3 php7.0-tidy php7.0-xmlrpc php7.0-xsl memcached php-memcache php-imagick php-gettext php7.0-zip php7.0-mbstring memcached libapache2-mod-passenger php7.0-soap
a2enmod suexec rewrite ssl actions include dav_fs dav auth_digest cgi headers
nano /etc/apache2/conf-available/httpoxy.conf
<IfModule mod_headers.c>
RequestHeader unset Proxy early
</IfModule>
a2enconf httpoxy
service apache2 restart
apt-get install certbot
apt-get install php7.0-fpm
a2enmod actions proxy_fcgi alias
service apache2 restart
apt-get install php7.0-opcache php-apcu
service apache2 restart
apt-get install mailman
newlist mailman
root@srv88:/home/miloose# newlist mailman
Entrez l'adresse courriel du gestionnaire de la liste : listadmin@miloose.xyz
Mot de passe initial de la liste mailman :
Pour achever la création de votre liste de diffusion, vous devez
modifier votre fichier /etc/aliases (ou équivalent) en y ajoutant les
lignes suivantes et peut être exécuter le programme `newaliases':
liste de diffusion ## mailman
mailman: "|/var/lib/mailman/mail/mailman post mailman"
mailman-admin: "|/var/lib/mailman/mail/mailman admin mailman"
mailman-bounces: "|/var/lib/mailman/mail/mailman bounces mailman"
mailman-confirm: "|/var/lib/mailman/mail/mailman confirm mailman"
mailman-join: "|/var/lib/mailman/mail/mailman join mailman"
mailman-leave: "|/var/lib/mailman/mail/mailman leave mailman"
mailman-owner: "|/var/lib/mailman/mail/mailman owner mailman"
mailman-request: "|/var/lib/mailman/mail/mailman request mailman"
mailman-subscribe: "|/var/lib/mailman/mail/mailman subscribe mailman"
mailman-unsubscribe: "|/var/lib/mailman/mail/mailman unsubscribe mailman"
Tapez sur Entrée pour aviser le propriétaire de mailman...
nano /etc/aliases
## mailman mailing list
mailman: "|/var/lib/mailman/mail/mailman post mailman"
mailman-admin: "|/var/lib/mailman/mail/mailman admin mailman"
mailman-bounces: "|/var/lib/mailman/mail/mailman bounces mailman"
mailman-confirm: "|/var/lib/mailman/mail/mailman confirm mailman"
mailman-join: "|/var/lib/mailman/mail/mailman join mailman"
mailman-leave: "|/var/lib/mailman/mail/mailman leave mailman"
mailman-owner: "|/var/lib/mailman/mail/mailman owner mailman"
mailman-request: "|/var/lib/mailman/mail/mailman request mailman"
mailman-subscribe: "|/var/lib/mailman/mail/mailman subscribe mailman"
mailman-unsubscribe: "|/var/lib/mailman/mail/mailman unsubscribe mailman"
newaliases
service postfix restart
ln -s /etc/mailman/apache.conf /etc/apache2/conf-enabled/mailman.conf
http://srv88.miloose.test/cgi-bin/mailman/admin/
http://srv88.miloose.test/cgi-bin/mailman/listinfo/
service apache2 restart
service mailman start
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
[...]
STANDALONE_OR_INETD=standalone
[...]
VIRTUALCHROOT=true
[...]
echo 1 > /etc/pure-ftpd/conf/TLS
mkdir -p /etc/ssl/private/
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:France
Locality Name (eg, city) []:Nice
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Miloose Corp.
Organizational Unit Name (eg, section) []:Web Services
Common Name (e.g. server FQDN or YOUR name) []:srv88.miloose.test
Email Address []:admin@miloose.test
chmod 600 /etc/ssl/private/pure-ftpd.pem
service pure-ftpd-mysql restart
nano /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
# / was on /dev/sda2 during installation
UUID=f5fe1fc3-41e4-4557-a101-104e32a7e2b4 / ext4 errors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0 1
# swap was on /dev/sda3 during installation
UUID=de1fa94d-5e13-4dc4-81f1-bc4159793d93 none swap sw 0 0
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
mount -o remount /
quotacheck -avugm
quotaon -avug
Dans mon cas (sur un CT sous Proxmox) il n’est pas possible de modifier le fichier /etc/fstab car il est géré par l’hôte. Lors de mon test sur un VPS prit pour faire un test, cela fonctionnait parfaitement.
J’avais aussi rencontré une erreur lors de l’activation de Quota mais je ne me souviens plus à laquelle des trois commande ci-dessus. Il suffit de relancer la commande qui a fait une erreur et cela fonctionne.
apt-get install bind9 dnsutils
apt-get install haveged
apt-get install webalizer awstats geoip-database libclass-dbi-mysql-perl libtimedate-perl
nano /etc/cron.d/awstats
#MAILTO=root
#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh
# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.$
apt-get install build-essential autoconf automake libtool flex bison debhelper binutils
cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.19.tar.gz
tar xvfz jailkit-2.19.tar.gz
cd jailkit-2.19
echo 5 > debian/compat
./debian/rules binary
cd ..
dpkg -i jailkit_2.19-1_*.deb
rm -rf jailkit-2.19*
Jailkit doit être installer avant l’installation d’ISPConfig.
apt-get install fail2ban
nano /etc/fail2ban/jail.local
[pure-ftpd]
enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/syslog
maxretry = 3
[dovecot]
enabled = true
filter = dovecot
logpath = /var/log/mail.log
maxretry = 5
[postfix-sasl]
enabled = true
port = smtp
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
service fail2ban restart
apt-get install ufw
apt-get install roundcube roundcube-core roundcube-mysql roundcube-plugins
nano /etc/roundcube/config.inc.php
[...]
$config['default_host'] = 'localhost';
[...]
$config['smtp_server'] = 'localhost';
[...]
nano /etc/apache2/conf-enabled/roundcube.conf
Alias /webmail /var/lib/roundcube
N’utiliser pas l’allias /mail sinon le module email d’ISPConfig ne fonctionnera plus !
service apache2 reload
http://srv88.miloose.test/webmail
cd /tmp
wget https://downloads.sourceforge.net/project/ispconfig/ISPConfig%203/ISPConfig-3.1.6/ISPConfig-3.1.6.tar.gz?r=https%3A%2F%2Fsourceforge.net%2Fprojects%2Fispconfig%2Ffiles%2Flatest%2Fdownload&ts=1506220006&use_mirror=10gbps-io
tar xfz ISPConfig-3.1.6.tar.gz
cd ispconfig3_install/install/
php -q install.php
--------------------------------------------------------------------------------
_____ ___________ _____ __ _ ____
|_ _/ ___| ___ \ / __ \ / _(_) /__ \
| | \ `--.| |_/ / | / \/ ___ _ __ | |_ _ __ _ _/ /
| | `--. \ __/ | | / _ \| '_ \| _| |/ _` | |_ |
_| |_/\__/ / | | \__/\ (_) | | | | | | | (_| | ___\ \
\___/\____/\_| \____/\___/|_| |_|_| |_|\__, | \____/
__/ |
|___/
--------------------------------------------------------------------------------
>> Initial configuration
Operating System: Debian 9.0 (Stretch) or compatible
Following will be a few questions for primary configuration so be careful.
Default values are in [brackets] and can be accepted with <ENTER>.
Tap in "quit" (without the quotes) to stop the installer.
Select language (en,de) [en]:
Installation mode (standard,expert) [standard]:
Full qualified hostname (FQDN) of the server, eg server1.domain.tld [srv88.miloose.test]:
MySQL server hostname [localhost]:
MySQL server port [3306]:
MySQL root username [root]:
MySQL root password []: sqlrootpasswd
MySQL database to create [dbispconfig]:
MySQL charset [utf8]:
Configuring Postgrey
Configuring Postfix
Generating a 4096 bit RSA private key
..................................................++
.............................................................................++
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:France
Locality Name (eg, city) []:Nice
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Miloose Corp.
Organizational Unit Name (eg, section) []:Web Services
Common Name (e.g. server FQDN or YOUR name) []:srv88.miloose.test
Email Address []:admin@miloose.test
Configuring Mailman
Configuring Dovecot
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring Jailkit
Configuring Pureftpd
Configuring BIND
Configuring Apache
Configuring vlogger
[INFO] service OpenVZ not detected
Configuring Ubuntu Firewall
[INFO] service Metronome XMPP Server not detected
Configuring Fail2ban
Configuring Apps vhost
Installing ISPConfig
ISPConfig Port [8080]:
Admin password [admin]: adminpasswd
Re-enter admin password []: adminpasswd
Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:
Generating RSA private key, 4096 bit long modulus
....++
....++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:France
Locality Name (eg, city) []:Nice
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Miloose Corp.
Organizational Unit Name (eg, section) []:Web Services
Common Name (e.g. server FQDN or YOUR name) []:srv88.miloose.test
Email Address []:admin@miloose.test
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:Miloose Corp.
writing RSA key
_
Configuring DBServer
Installing ISPConfig crontab
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Detect IP addresses
Restarting services ...
Installation completed.
https://srv88.miloose.test:8080