The Perfect Setup - Debian Woody (3.0)

<< HOWTO-Index

NEW! Visit my Linux forums!

This Howto is also available on HowtoForge! If you have also written tutorials, you can publish them there.

Subscribe to FalkoTimme.com Newsletter
and stay informed about my latest HOWTOs and projects.

Email

(If you want to unsubscribe from our newsletter, visit this link.)

The Perfect Setup - Debian Woody (3.0)

Version 1.6
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 07/14/2005

This is a detailed description about the steps to be taken to setup a Debian based server (Debian Woody alias Debian 3.0) that offers all services needed by ISPs and hosters (web server (SSL-capable), mail server (with SMTP-AUTH and TLS!), DNS server, FTP server, MySQL server, POP3/IMAP, Quota, Firewall, etc.).

I will use the following software:

Web Server: Apache 1.3.x
Mail Server: Postfix (easier to configure than sendmail; has a shorter history of security holes than sendmail)
DNS Server: BIND9
FTP Server: proftpd (you could also use vsftpd)
POP3/IMAP: in this example you can choose between the traditional UNIX mailbox format (we then use qpopper/uw-imapd) or the Maildir format (in this case we will use Courier-POP3/Courier-IMAP).
Webalizer for web site statistics

In the end you should have a system that works reliably and is ready for the free webhosting control panel ISPConfig (i.e., ISPConfig runs on it out of the box).

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

Requirements

To install such a system you will need the following:

CD 1 of the Debian Woody (Debian 3.0) release (available from http://www.debian.org)
CD 1 of the latest release of Mandrake Linux (9.2 at the time of this writing) (available from http://www.mandrake-linux.com) (you do not need it if you do not need to create partitions on your hard drive)
an internet connection since I will describe a network installation in this document

1 The Base System

If you have an unused hard drive you first will have to create partitions on it (you can skip this step if you already have partitions on your hard drive). You can use the Debian installer to do this but I think it is hard to use (especially for newbies). This is where I cheat a little bit: I insert the Mandrake CD into my CD-ROM and run the Mandrake installer (just until after my partitions have been created unsing Mandrake's partitioning tool which I think is the best in the Linux world).

I create two partitions: /dev/hda1 (with /boot as mount point) and /dev/hda6 (with / as mount point). Additionally, I create a swap partition (ususally on /dev/hda5). I think, 50 MB -100 MB is a good size for /dev/hda1; 500 MB should be enough for the swap partition; the rest is for /dev/hda6 (where the users' web sites etc. will be).

After the partitions have been created I stop the Mandrake installation, insert my Debian CD and reboot the system.

At the boot prompt, enter bf24 to install Debian with a 2.4 Linux kernel:

Then select your language:

Afterwards, you will enter the main menu of the Debian installer. Configure your keyboard:

Initialize and activate a swap partition:

When asked Scan for Bad Blocks?, choose No.

Then initialize a Linux partition:

Select the file system you want. I take ext3 here.

Select /dev/hda1 as the partition to be initialized:

When asked Scan for Bad Blocks?, enter No.

Select /boot as the mount point for /dev/hda1:

Now you have to initialize your second Linux partition:

Select your preferred filesystem (again, I take ext3 here). Then select /dev/hda6 as the partition to be initialized:

When asked Scan for Bad Blocks?, enter No.

Select / as the mount point for /dev/hda6:

After your partitions are formatted and initialized, select Install Kernel and Driver Modules from the main menu. I think this does not need any further explanation.

Configure Device Driver modules:

Be sure to install the driver for your network card (if you don't know the correct one it is safe to install mutliple drivers):

Now go sure to include iptables support (Firewall!) in your kernel:

After you have left the driver modules menu you must configure your network:

For the hostname I highly recommend a subdomain that will not be used for a virtual site on that server later on. Something like server1, server2, ... would be quite handy as it allows you to distinguish your servers if you run multiple of them. So if your domain is example.com (a real domain is recommended!) you can reach the server under server1.example.com (don't forget to update the DNS record for example.com!).

When prompted for Automatic Network Configuration, select No.

Then enter the main IP address of the system, its network mask, the gateway address and the domain of the system (here: example.com).

Specify the DNS servers the system should use (e.g. 193.174.32.18 and 145.253.2.11).

Install the base system:

Make the system bootable:

Select Install LILO in the MBR:

Then reboot the system. Go sure to remove the Debian CD from your CD-ROM:

After the reboot configure your time zone:

Do not enable md5 passwords:

Enable shadow passwords:

Then set the root password, create the additional user admin and enter his password.

If you don't need pcmcia packages remove them.

Don't use a PPP connection to install the system (a server should have a permanent connection to the internet):

I want to do a network installation (that is why I only need disk 1 of the seven Debian CD-ROMs). So I choose http as method for accessing the Debian archive under Apt Configuration:

Select a mirror that is close to you:

Normally, you don't use a proxy so leave the field empty:

When asked Use security updates from security.debian.org? answer Yes.

Important: Since June 2005 Debian Sarge (3.1) is the stable release of Debian. Because we want to install Debian Woody (3.0) here instead of Sarge we have to change the file /etc/apt/sources.list now before we go on! The Woody installer still thinks that Woody is the stable release. Press Ctrl + Alt + F2 on your keyboard. You are now on the shell. Login as root. Then edit /etc/apt/sources.list with a text editor (e.g. vi) and replace stable with woody wherever it appears. Afterwards run

apt-get update

and press Ctrl + Alt + F1 to return to the installation screen.

Then run tasksel:

I want to have a minimal system at the beginning so I only select mail server and C and C++ (so I can compile sources if I need to). The other software will be installed later.

Don't run dselect (don't even think of it, you will be lost!):

For the next steps you can accept the default values.

Then configure your locales. At least choose en_US ISO-8859-1:

As the default locale I select en_US:

Then set up your ssh server:

The installation begins. At the end you will be asked if you wish to delete any previously downloaded .deb files. You can answer Y here.

When the installer wants to configure exim enter 5 (no configuration) because we will use postfix as our mail server.

Now the base system is ready:

2 Installing and Configuring the Rest of the System

Configure additional IP Addresses

If you have more than one IP address you can add your additional IP addresses by editing /etc/network/interfaces. It will look similar to this:

# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)

# The loopback interface
auto lo
iface lo inet loopback

# The first network card - this entry was created during the Debian installation
# (network, broadcast and gateway are optional)
auto eth0
iface eth0 inet static
        address 192.168.0.100
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.1

If you want to add the IP address 192.168.0.101 to the interface eth0 you should change the file to look like this:

# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)

# The loopback interface
auto lo
iface lo inet loopback

# The first network card - this entry was created during the Debian installation
# (network, broadcast and gateway are optional)
auto eth0
iface eth0 inet static
        address 192.168.0.100
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.1

auto eth0:0
iface eth0:0 inet static
        address 192.168.0.101
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.1

Then restart your network:

/etc/init.d/networking restart

Setting the Hostname

echo server1.example.com > /etc/hostname
/bin/hostname -F /etc/hostname

Install/Remove some Software

Add

deb http://backports.debian.skynet.be woody cyrus-sasl2

to /etc/apt/sources.list and run

apt-get update
apt-get install wget bzip2 rdate fetchmail libdb3++-dev unzip zip ncftp xlispstat libarchive-zip-perl zlib1g-dev libpopt-dev nmap openssl (1 line!)
apt-get remove lpr nfs-common portmap pidentd pcmcia-cs pppoe pppoeconf ppp pppconfig

update-rc.d -f exim remove
update-inetd --remove daytime
update-inetd --remove telnet
update-inetd --remove time
update-inetd --remove finger
update-inetd --remove talk
update-inetd --remove ntalk
update-inetd --remove ftp
update-inetd --remove discard
<- Yes [y]

/etc/init.d/inetd reload

Quota

apt-get install quota quotatool

Edit /etc/fstab to look like this (I added ,usrquota,grpquota to partition /dev/hda6):

# /etc/fstab: static file system information.
#
# <file system> <mount point>   <type>  <options>               <dump>  <pass>
/dev/hda1       /boot           ext3    errors=remount-ro       0       1
/dev/hda5       none            swap    sw                      0       0
proc            /proc           proc    defaults                0       0
/dev/fd0        /floppy         auto    user,noauto             0       0
/dev/cdrom      /cdrom          iso9660 ro,user,noauto          0       0
/dev/hda6       /               ext3    defaults,usrquota,grpquota                      0       2

Then run:

touch /quota.user /quota.group
chmod 600 /quota.*
mount -o remount /
quotacheck -avugm
quotaon -avug

DNS-Server

apt-get install bind9

For security reasons we want to run BIND chrooted so we have to do the following steps:

/etc/init.d/bind9 stop

Edit the startup script /etc/init.d/bind9 so that the daemon will run as the unprivileged user 'nobody', chrooted to /var/lib/named. Modify the line: OPTS="" so that it reads OPTS="-u nobody -t /var/lib/named":

#!/bin/sh

PATH=/sbin:/bin:/usr/sbin:/usr/bin

# for a chrooted server: "-u nobody -t /var/lib/named"
OPTS="-u nobody -t /var/lib/named"

test -x /usr/sbin/named || exit 0

case "$1" in
    start)
        echo -n "Starting domain name service: named"
        start-stop-daemon --start --quiet \
            --pidfile /var/run/named.pid --exec /usr/sbin/named -- $OPTS
        echo "."
    ;;

    stop)
        echo -n "Stopping domain name service: named"
        /usr/sbin/rndc stop
        echo "."
    ;;

    reload)
        /usr/sbin/rndc reload
    ;;

    restart|force-reload)
        $0 stop
        sleep 2
        $0 start
    ;;

    *)
        echo "Usage: /etc/init.d/bind {start|stop|reload|restart|force-reload}" >&2
        exit 1
    ;;
esac

exit 0

Create the necessary directories under /var/lib:

mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir /var/lib/named/var/run

Then move the config directory from /etc to /var/lib/named/etc:

mv /etc/bind /var/lib/named/etc

Create a symlink to the new config directory from the old location (to avoid problems when bind is upgraded in the future):

ln -s /var/lib/named/etc/bind /etc/bind

Make null and random devices, and fix permissions of the directories:

mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R nobody:nogroup /var/lib/named/var/*
chown -R nobody:nogroup /var/lib/named/etc/bind

We need to modify the startup script /etc/init.d/sysklogd of sysklogd so that we can still get important messages logged to the system logs. Modify the line: SYSLOGD="" so that it reads: SYSLOGD="-a /var/lib/named/dev/log":

#! /bin/sh
# /etc/init.d/sysklogd: start the system log daemon.

PATH=/bin:/usr/bin:/sbin:/usr/sbin

pidfile=/var/run/syslogd.pid
binpath=/sbin/syslogd

test -x $binpath || exit 0

# Options for start/restart the daemons
#   For remote UDP logging use SYSLOGD="-r"
#
SYSLOGD="-a /var/lib/named/dev/log"

create_xconsole()
{
    if [ ! -e /dev/xconsole ]; then
        mknod -m 640 /dev/xconsole p
    else
        chmod 0640 /dev/xconsole
    fi
    chown root.adm /dev/xconsole
}

running()
{
    # No pidfile, probably no daemon present
    #
    if [ ! -f $pidfile ]
    then
        return 1
    fi

    pid=`cat $pidfile`

    # No pid, probably no daemon present
    #
    if [ -z "$pid" ]
    then
        return 1
    fi

    cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -1`

    # No syslogd?
    #
    if [ "$cmd" != "$binpath" ]
    then
        return 1
    fi

    return 0
}

case "$1" in
  start)
    echo -n "Starting system log daemon: syslogd"
    create_xconsole
    start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
    echo "."
    ;;
  stop)
    echo -n "Stopping system log daemon: syslogd"
    start-stop-daemon --stop --quiet --exec $binpath --pidfile $pidfile
    echo "."
    ;;
  reload|force-reload)
    start-stop-daemon --stop --quiet --signal 1 --exec $binpath --pidfile $pidfile
    ;;
  restart)
    echo -n "Stopping system log daemon: syslogd"
    start-stop-daemon --stop --quiet --exec $binpath --pidfile $pidfile
    echo "."
    sleep 1
    echo -n "Starting system log daemon: syslogd"
    start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
    echo "."
    ;;
  reload-or-restart)
    if running
    then
        start-stop-daemon --stop --quiet --signal 1 --exec $binpath --pidfile $pidfile
    else
        start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
    fi
    ;;
  *)
    echo "Usage: /etc/init.d/sysklogd {start|stop|reload|restart|force-reload|reload-or-restart}"
    exit 1
esac

exit 0

Restart the logging daemon:

/etc/init.d/sysklogd restart

Start up BIND, and check /var/log/syslog for any errors:

/etc/init.d/bind9 start

MySQL

apt-get install mysql-server mysql-client libmysqlclient10-dev
<- No
<- Yes

mysqladmin -u root password yourrootsqlpassword

In /etc/mysql/my.cnf comment out the following line:

skip-networking

It should now look similar to this:

# You can copy this to one of:
# /etc/mysql/my.cnf to set global options,
# mysql-data-dir/my.cnf to set server-specific options (in this
# installation this directory is /var/lib/mysql) or
# ~/.my.cnf to set user-specific options.
#
# One can use all long options that the program supports.
# Run the program with --help to get a list of available options

# This will be passed to all mysql clients
[client]
#password       = my_password
port            = 3306
socket          = /var/run/mysqld/mysqld.sock

# Here is entries for some specific programs
# The following values assume you have at least 32M ram

[safe_mysqld]
err-log         = /var/log/mysql/mysql.err

[mysqld]
user            = mysql
pid-file        = /var/run/mysqld/mysqld.pid
socket          = /var/run/mysqld/mysqld.sock
port            = 3306
#
# You can also put it into /var/log/mysql/mysql.log but I leave it in /var/log
# for backward compatibility. Both location gets rotated by the cronjob.
#log            = /var/log/mysql/mysql.log
log             = /var/log/mysql.log
basedir         = /usr
datadir         = /var/lib/mysql
tmpdir          = /tmp
language        = /usr/share/mysql/english
skip-locking
#
# The skip-networkin option will no longer be set via debconf menu.
# You have to manually change it if you want networking i.e. the server
# listening on port 3306. The default is "disable" - for security reasons.
#skip-networking
set-variable    = key_buffer=16M
set-variable    = max_allowed_packet=1M
set-variable    = thread_stack=128K
#
# Here you can see queries with especially long duration
#log-slow-queries       = /var/log/mysql/mysql-slow.log
#
# The following can be used as easy to replay backup logs or for replication
#server-id              = 1
#log-bin                = /var/log/mysql/mysql-bin.log
#binlog-do-db           = include_database_name
#binlog-ignore-db       = include_database_name
#
# Read the manual if you want to enable InnoDB!
skip-innodb

[mysqldump]
quick
set-variable    = max_allowed_packet=1M

[mysql]
#no-auto-rehash # faster start of mysql but no tab completition

[isamchk]
set-variable    = key_buffer=16M

Restart MySQL:

/etc/init.d/mysql restart

so that MySQL is accessible on port 3306 (you can check that with netstat -tap).

Postfix/Qpopper

addgroup sasl
apt-get install postfix-tls qpopper sasl-bin libsasl-modules-plain libsasl2 libsasl-gssapi-mit libsasl-digestmd5-des sasl2-bin libsasl2-modules (1 line!)

<- Kerberos: accept default value (I don't want to use Kerberos so I don't really care about it)
<- Internetsite
<- Domainname
<- No
<- accept default values
<- Kerberos: accept default value
<- NONE

cd /etc/init.d/
wget http://hanselan.de/postfix/pwcheck

In case you cannot access http://hanselan.de/postfix/pwcheck here's the pwcheck script:

#! /bin/sh
#
# pwcheck       Startet pwcheck f�r SMTP-Auth mit Postfix
#

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/sbin/pwcheck
NAME=pwcheck
DESC="pwcheck daemon"

test -x $DAEMON || exit 0

set -e

case "$1" in
  start)
        echo -n "Starting $DESC: $NAME"
        ln -s /var/spool/postfix/var/run/pwcheck /var/run/pwcheck
        $DAEMON
        echo "."
        ;;
  stop)
        echo -n "Stopping $DESC: $NAME "
        rm /var/run/pwcheck
        /usr/bin/killall -KILL $NAME
        echo "."
        ;;
  *)
        N=/etc/init.d/$NAME
        echo "Usage: $N {start|stop}" >&2
        exit 1
        ;;
esac

exit 0

chmod 755 /etc/init.d/pwcheck
update-rc.d pwcheck defaults
mkdir -p /var/spool/postfix/var/run/pwcheck
chown postfix.root /var/spool/postfix/var/run/pwcheck/
chmod 700 /var/spool/postfix/var/run/pwcheck/
ln -s /var/spool/postfix/var/run/pwcheck /var/run/pwcheck

postconf -e 'smtpd_sasl_local_domain = $myhostname'
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check_relay_domains'
postconf -e 'inet_interfaces = all'
echo 'pwcheck_method: pwcheck' >> /etc/postfix/sasl/smtpd.conf

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'

The file /etc/postfix/main.cf should now look like this:

# see /usr/share/postfix/main.cf.dist for a commented, fuller
# version of this file.

# Do not change these directory settings - they are critical to Postfix
# operation.
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
program_directory = /usr/lib/postfix

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
setgid_group = postdrop
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no
myhostname = server1.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server1.example.com, localhost.example.com, localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check_relay_domains
inet_interfaces = all
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

/etc/init.d/pwcheck start
/etc/init.d/postfix restart

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH

everything is fine.

Type

quit

to return to the system's shell.

Courier-IMAP/Courier-POP3

If you want to use a POP3/IMAP daemon that has Maildir support (if you do not want to use the traditional Unix mailbox format) you can install Courier-IMAP and Courier-POP3. Otherwise you can proceed with the Apache configuration.

apt-get install courier-imap courier-pop

qpopper and UW-IMAP will then be replaced.

Then configure Postfix to deliver emails to a user's Maildir*:

postconf -e 'home_mailbox = Maildir/'
postconf -e 'mailbox_command ='
/etc/init.d/postfix restart

*Please note: You do not have to do this if you intend to use ISPConfig on your system as ISPConfig does the necessary configuration using procmail recipes. But please go sure to enable Maildir under Management -> Settings -> EMail in the ISPConfig web interface.

Apache

Add

deb http://packages.dotdeb.org ./

to /etc/apt/sources.list and run

apt-get update

apt-get install apache apache-doc libapache-mod-ssl libapache-mod-ssl-doc
apt-get install libapache-mod-php4 php4 php4-cli php4-common php4-curl php4-dev php4-domxml php4-gd php4-gmp php4-imap php4-ldap php4-mcal php4-mcrypt php4-mhash php4-ming php4-mysql php4-odbc php4-pear php4-xslt curl libwww-perl imagemagick (1 line!)

Edit /etc/apache/httpd.conf. Under LoadModules add:

LoadModule php4_module /usr/lib/apache/1.3/libphp4.so
LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so

Under Listen add:

Listen 80
Listen 443

Under "Addtype application" insert:

<IfModule mod_ssl.c>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
</IfModule>

Before "Section 3 : Virtual Hosts" add:

<IfModule mod_ssl.c>
SSLCACertificateFile /etc/apache/ssl.crt/ca-bundle.crt
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/var/run/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/var/run/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

Change

DirectoryIndex index.html index.htm index.shtml index.cgi

DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3 index.pl

Save /etc/apache/httpd.conf and run

/etc/init.d/apache restart

Proftpd

apt-get install proftpd

<- No

For security reasons you can add the following lines to /etc/proftpd.conf (thanks to Reinaldo Carvalho; more information can be found here: http://proftpd.linux.co.uk/localsite/Userguide/linked/userguide.html):

DefaultRoot ~
IdentLookups off
ServerIdent on "FTP Server ready."

and restart Proftpd:

/etc/init.d/proftpd restart

Webalizer

apt-get install webalizer

<- accept default values

Synchronize the System Clock

If you want to have the system clock synchronized with an NTP server you can add the following lines to /var/spool/cron/crontabs/root (if the file does not exist, create it by running

touch /var/spool/cron/crontabs/root):

# update time with ntp server
0 3,9,15,21 * * * /usr/sbin/rdate 128.2.136.71 | logger -t NTP

Then run

chmod 600 /var/spool/cron/crontabs/root
/etc/init.d/cron restart

Install some Perl Modules needed by SpamAssassin (comes with ISPConfig)

Installation using the Perl Shell

perl -MCPAN -e shell

If you run the Perl shell for the first time you will be asked some questions. In most cases the default answers are ok.

Please note: If you run a firewall on your system you might have to turn it off while working on the Perl shell in order for the Perl shell to be able to fetch the needed modules without a big delay. You can switch it on afterwards.

The big advantage of the Perl shell compared to the two other methods described here is that it cares about dependencies when installing new modules. I.e., if it turns out that a prerequisite Perl module is missing when you install another module the Perl shell asks you if it should install the prerequisite module for you. You should answer that question with "Yes".

Run the following commands to install the modules needed by SpamAssassin:

install HTML::Parser
install DB_File
install Net::DNS (when prompted to enable tests, choose no)
install Digest::SHA1
q (to leave the Perl shell)

If a module is already installed on your system you will get a message similar to this one:

HTML::Parser is up to date.

Successful installation of a module looks like this:

/usr/bin/make install -- OK

Compile a Custom Kernel

If you need to compile a new kernel for some reason (e.g. because you want to use the latest bleeding-edge kernel or need a feature that the standard Debian kernel does not offer), you can find more information here: Debian-Kernel-Compile-Howto.

The End

The configuration of the server is now finished, and if you wish you can now install ISPConfig on it.

A Note On SuExec

If you want to run CGI scripts under suExec, you should specify /var/www as the home directory for websites created by ISPConfig as Debian's suExec is compiled with /var/www as Doc_Root. Run /usr/lib/apache/suexec -V, and the output should look like this:

To select /var/www as the home directory for websites during the installation of ISPConfig do the following: When you are asked for the installation mode, select the expert mode.

Later during the installation you are asked if the default directory /home/www should be the directory where ISPConfig will create websites in. Answer n and enter /var/www as the home directory for websites.

Links

http://www.debian.org
http://www.debianplanet.org
http://www.debianforum.de (German)
http://www.debianhowto.de (German/English)
http://www.ispconfig.org

NEW! Visit my Linux forums!

This Howto is also available on HowtoForge! If you have also written tutorials, you can publish them there.

<< HOWTO-Index

| | | | | | | |