Ispcp installation on Ubuntu 8.04

Start Installation

1. Untar or unzip the distribution files to a secure directory:

# cd /root
# wget
# tar xvzf ispcp-omega-1.0.4.tar.gz

2. Change to the newly created directory:

# cd ./ispcp-omega-1.0.4

3. Install the required modules
First update your system:

For Ubuntu 8.10 and lower :

# apt-get update && apt-get upgrade

For Ubuntu 9.04 and higher :

# aptitude update && aptitude safe-upgrade

Then install all needed packages:

# aptitude install $(cat ./docs/Ubuntu/ubuntu-packages-`lsb_release -cs`)

During the Install process you might encounter some config screens,
here’s what you should fill in there (some screens described here might
not show up anymore in newer versions of the services to be

On the courier screen select 'no' to web directories.

When you get to the postfix screen select 'internet site', eventually type in 'root'
for mail. If you've set your system up correctly on install your domain should already be
on screen in the next step, otherwise fill in the host domain name of your server.
Eventually select 'no' to force sync updates.

Proftpd should be configured as standalone (i.e. not inetd)

If you get to the rootkithunter screen, select two times 'yes'

4. (optional) Check the ispcp.conf and adapt it to your requirements.

 An overview over the variables you can find in the FAQ on

5. Build the System by using :

# make -f Makefile.ubuntu install

6. Copy all the directories into your system (you may make backups)

# cp -Rv /tmp/ispcp/* /

7. Now it’s time to set up the frontend. Change into the engine directory:

# cd /var/www/ispcp/engine/setup

7a. Set the MySQL password, if not set:

# mysqladmin -u root password YOUR_PASSWORD

8. Start the engine setup:

# perl ispcp-setup

9. Install ispCP ω step-by-step

If you get no error, all went good; if you get one, look at to solve the problem.

10. There is an error in some courier-versions. Courier won’t stop, if you use

/etc/init.d/courier-authdaemon stop, so change it:

# nano /etc/init.d/courier-authdaemon
change: ${libexecdir}/authlib/authdaemon stop
with: killall authdaemond.plain

11. Clean the temporary folders:

# rm -fR /tmp/ispcp

This is how I would enable spamassassin, along with amavis
and clamav. Unlike the amavis configuration with maia or the one that
partially comes with ispcp, this method uses amavis as pre-queue
filter. That makes it possible to reject spam mails instead of only
tagging them…

apt-get install amavisd-new clamav spamassassin clamav-daemon lzop rpm pax unrar zoo arj p7zip-full lha arc cabextract ripole

add the following lines to /etc/postfix/ after:

smtp      inet  n       -       -       -       -       smtpd
-o smtpd_proxy_filter=localhost:10024
    -o content_filter=
localhost:10025 inet n  -       n       -       -       smtpd
    -o content_filter=
    -o smtpd_proxy_filter=
    -o smtpd_authorized_xforward_hosts=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=
    -o mynetworks=
    -o reveive_override_options=no_unknown_recipient_checks

remove the following from /etc/postfix/

amavis    unix  -       -       n       -       2       smtp
   -o smtp_data_done_timeout=1200
   -o smtp_send_xforward_command=yes
   -o disable_dns_lookups=yes

localhost:10025 inet  n -       n       -      -        smtpd
   -o content_filter=
   -o local_recipient_maps=
   -o relay_recipient_maps=
   -o smtpd_restriction_classes=
   -o smtpd_client_restrictions=
   -o smtpd_helo_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o smtpd_override_options=no_address_mappings
   -o mynetworks=
   -o strict_rfc821_envelopes=yes

/etc/ will look like:

# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
    -o smtpd_proxy_filter=localhost:10024
    -o content_filter=
localhost:10025 inet n  -       n       -       -       smtpd
    -o content_filter=
    -o smtpd_proxy_filter=
    -o smtpd_authorized_xforward_hosts=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=
    -o mynetworks=
    -o reveive_override_options=no_unknown_recipient_checks
#submission inet n       -       -       -       -       smtpd
#  -o smtpd_enforce_tls=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps     inet  n       -       -       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# For AOL-Accounts
587       inet  n       -       -       -       -       smtpd
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination
#628      inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       -       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       -       -       -       smtp
    -o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache      unix    -    -    -    -    1    scache
# ====================================================================
# ispCP ω (OMEGA) a Virtual Hosting Control System
# @copyright    2001-2006 by moleSoftware GmbH
# @copyright    2006-2008 by ispCP |
# @version        SVN: $Id$
# @link  
# @author        ispCP Team
# ====================================================================
# AMaViS => Antivir / Antispam

# ispCP autoresponder
ispcp-arpl unix  -      n       n       -       -       pipe
  flags=O user=vmail argv=/var/www/ispcp/engine/messager/ispcp-arpl-msgr

# TLS - Activate, if TLS is avaiable/used
smtps     inet  n       -       -       -       -       smtpd
   -o smtpd_tls_wrappermode=yes
   -o smtpd_sasl_auth_enable=yes
#   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in maildrop_destination_recipient_limit=1
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
# See the Postfix UUCP_README file for configuration details.
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
# Other external delivery methods.
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix    -    n    n    -    2    pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/
  ${nexthop} ${user}

change /etc/amavis/conf.d/01-debian:

#$lha    = 'lha'; #disabled (non-free, no security support)
#$unrar  = ['rar', 'unrar']; #disabled (non-free, no security support)


$lha    = undef;
$unrar  = undef;

change /etc/amavis/conf.d/20-debian_defaults:

$sa_tag2_level_deflt = 5.8;
$sa_kill_level_deflt = 6.41;
$final_virus_destiny      = D_REJECT;  # (data not lost, see virus quarantine)
$final_banned_destiny     = D_REJECT;   # D_REJECT when front-end MTA
$final_spam_destiny       = D_REJECT;
$final_bad_header_destiny = D_PASS;     # False-positive prone (for spam)

change /etc/amavis/conf.d/15-content_filter_mode:

@bypass_virus_checks_maps = (
   \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

@bypass_spam_checks_maps = (
   \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

change /etc/amavis/conf.d/50-user:

$max_servers = 5;

change in /etc/group:

to uid may be different

/etc/init.d/clamav-daemon restart
/etc/init.d/amavis restart
/etc/init.d/postfix restart

Consider using a ramdisk for the amavis temporary directory…
this will boost performance… and let you use a higher $max_servers

Hello …
I did exactly as you told us to do …
But then SMTP didn’t worked (couldn’t send mails … but i could
receive) and in the ispc pannel, at Server Status, SMTP was down…

Make ispCP more Secure

Make ispCP more Secure
Here you can find some stuff to make your Server more Secure.
Absolutely no warranty, use it at your own risk.

1.) Disable the Apache ServerSignature like this one
Apache/2.2.3 (Debian) mod_fastcgi/2.4.2 mod_perl/2.0.2 Perl/v5.8.8
Put only these lines in your httpd.conf (Under Debian Etch you have to put this in your apache2.conf)

# Disable ServerInfo ServerSignature Off ServerTokens Prod
2.) Disable Debugging functions
An attacker may use this flaw to trick your legitimate web users to
give him their credentials. Add the following lines for each virtual
host in your configuration file (/etc/apache2/ispcp/…) or directly in
the template file (/etc/ispcp/apache/parts/custom.conf.tpl) to disable
the Debugging

<IfModule mod_rewrite.c> RewriteEngine on RewriteCond
%{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* – [F] </IfModule>
Reload the Apache configuration and check if your configuration is active:

# /etc/init.d/apache2 reload # telnet 80 Trying
xxx.yyy.zzz.rrr… Connected to Escape character is ‘^]’.
TRACE / HTTP/1.0 Host: foo A: b
301 Moved Permanently Date: … Server: Apache Location: Content-Length: … Connection: close
Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”> <html><head>
<title>301 Moved Permanently</title>
</head><body> <h1>Moved Permanently</h1>
<p>The document has moved <a
</body></html> Connection closed by foreign host.
3.) Secure Proftpd a little more
You can add a little more security to Proftp by editing it’s configuration file and adding:

DefaultRoot ~ IdentLookups off
You can also disable displaying of ftp banner.It’s displayed by default when someone connects to Your server like this:

Verbindung mit 62.75.xx.xx wurde hergestellt. 220 ProFTPD 1.3.0 Server (vsxxxxxx) [62.75.xx.xx] Benutzer (62.75.xx.xx:(none)):
Here can you see the ProFTPD Version → 1.3.0 To Disable the Banner add, the following line to the proftpd.conf:

ServerIdent off
You can find more information about it here:

4.) Enable SSL in ProFTPD
For a secure File Transfer you can add SSL to your ProFTPD

Create a SSL Certificate:

openssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl.crt -keyout /etc/proftpd/ssl.key
Open your proftpd.conf to enable SSL

# vi /etc/proftpd/proftpd.conf
enable the last lines like this and set TLSEngine ‘on’

# # SSL via TLS # <IfModule mod_tls.c> TLSEngine on # on for
use of TLS TLSLog /var/log/proftpd/ftp_ssl.log # where to log to
TLSProtocol SSLv23 # SSLv23 or TLSv1 TLSOptions NoCertRequest # either
to request the certificate or not TLSRSACertificateFile
/etc/proftpd/ssl.crt # SSL certfile TLSRSACertificateKeyFile
/etc/proftpd/ssl.key # SSL keyfile TLSVerifyClient off # client
verification </IfModule>
Restart proftpd to bring the effect:

# /etc/init.d/proftpd restart
5.) Change the SMTP-Banner
If you want to change this Postfix SMTP-Banner:

Connected to your-domain.tld. Escape character is ‘^]’. 220 your-domain.tld. ISPCP 1.0 Priamos Managed ESMTP 1.0.0 RC3 OMEGA
Open your “/etc/postfix/” and change the SMTP-Banner here to what you want

smtpd_banner = $ myhostname ISPCP 1.0 Priamos Managed ESMTP 1.0.0 RC3 OMEGA
6. Install & Configure fail2ban
Fail2Ban automatic blocks an IP-Address after some failed Logins.
It works with Apache,SSH,FTP and Mail.

Install fail2ban per apt-get

# apt-get install fail2ban
After the installation you can configure fail2ban with these two configs under /etc/fail2ban/

/etc/fail2ban/fail2ban.conf /etc/fail2ban/jail.conf
Open your jail.conf to enable the blocks for some Services.

# vi /etc/fail2ban/jail.conf
Now you can enable or disable the Services you want to protect. By default SSH is enabled.

If you want to enable Apache,

# # HTTP servers # [apache] enabled = false port = http filter = apache-auth logpath = /var/log/apache*/*access.log maxretry = 6

# # HTTP servers # [apache] enabled = true port = http filter = apache-auth logpath = /var/log/apache2/users/*access.log maxretry = 6
For FTP (proftpd)

[proftpd] enabled = false port = ftp filter = proftpd logpath = /var/proftpd/proftp.log maxretry = 6
change it to

[proftpd] enabled = true port = ftp filter = proftpd logpath = /var/log/auth.log maxretry = 3
You can change the maximal retry´s before ban with

maxretry = X
If you want to change the bantime,

bantime = 600 (is set in seconds)
Warning: fail2ban use Firewall ruls to block the IP.
A ban is per default for 10 minutes active. After this time the IP is unblocked automatically.

The fail2ban Log is under

7.) SSL for Mailservice (Courier)
First we need to install the courier-ssl packages.

# apt-get install courier-imap-ssl courier-pop-ssl
A default Certificate will be created during the installation. So we need to change them.

Open the /etc/courier/imapd.cnf

# vi /etc/courier/imapd.cnf
and change the attributes to your needs.
And then the same with /etc/courier/pop3d.cnf

# vi /etc/courier/pop3d.cnf
After these changes, first backup the old Certificate before we generate some new.

# cd /etc/courier/ && mv pop3d.pem pop3d.pem.orig && mv imapd.pem imapd.pem.orig
Now we can generate the new one:

# dpkg-reconfigure courier-pop-ssl && dpkg-reconfigure courier-imap-ssl
Done – your Mailservice is now ready for SSL.
Change your Client to use POP3-SSL on port 995 and IMAP-SSL on port 993

8.) Make SSH safer
Every Scriptkiddy checks your Server for a open Port 22 and test to login with the root account.
We will change these things to the good with an other Port and disable the root login via ssh.

First we need a user on the system for a later login. If there is already one, jump over to the next step. If not, create it:

# adduser new_username
Open your sshd_config to change the settings:

# vi /etc/ssh/sshd_config
Change the Port from

Port 22

Port 222
Change this line:

PermitRootLogin yes

PermitRootLogin no
Restart the SSH-Server

# /etc/init.d/ssh restart
Close your connection and connect again to your Server on Port 222 with your new Username.
To become root, only do a:

# su
9.) Prevent DOS-Attacks
To prevent simple Denial-of-Service attacks you can use the mod_evasive
module. Download the actual version from and unpack it. Make
sure, that apache2-prefork-dev is installed.

# apt-get install apache2-prefork-dev # wget
# tar -xzf mod_evasive_1.10.1.tar.gz # cd mod_evasive
Install it with Apache Extensions Module (apxs).

# apxs2 -i -a -c mod_evasive20.c
The module will be built and installed into your httpd.conf.

Optionally you can change some specific directives in your
/etc/apache2/apache2.conf file. Just add the following lines and change
them to your needs.

<IfModule mod_evasive20.c> DOSHashTableSize 3097 DOSPageCount
2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod
10 </IfModule>
ATTENTION: This config may produce “403 Forbidden” Errors on regular sites (to example: typo3, gallery,…)

You can also add the following directives:

DOSEmailNotify DOSSystemCommand “su – someuser -c ‘/sbin/… %s …’” DOSLogDir “/var/lock/mod_evasive”
After all, just restart your Apache to load the module.

# sudo /etc/init.d/apache2 restart
10.) Securing Open DNS server (BIND 9)
After a clean install of a Debian server, reports the
server as an open dns server(anyone can query the server about any
domain ⇒ high load and high transfer). 2 steps for fixing this problem:

a. first edit /etc/bind/named.conf.options (or /etc/named/named.conf for other distros, options paragraph) and add:

recursion no; transfer-format many-answers; //this is for speed up the transfer to a secondary dns
b. we need to modify the template used by ISPCP to generate to zone
files, on Debian this is /etc/ispcp/bind/parts/cfg_entry.tpl. The file
after modification should looks like:

zone “{DMN_NAME}” { type master; file “{DB_DIR}/{DMN_NAME}.db”; notify YES; allow-query { any; }; };
Restart BIND:

/etc/init.d/bind9 restart

Authentication will be done by saslauthd. We have to change a few
things to make it work properly. Because Postfix runs chrooted in
/var/spool/postfix we have to do the following:
mkdir -p /var/spool/postfix/var/run/saslauthd
Now we have to edit /etc/default/saslauthd in order to activate
saslauthd. Set START to yes and change the line OPTIONS="-c -m
/var/run/saslauthd" to OPTIONS="-c -m
/var/spool/postfix/var/run/saslauthd -r":

vi /etc/default/saslauthd

Next add the postfix user to the sasl group (this makes sure that Postfix has the permission to access saslauthd):

adduser postfix sasl
Now restart Postfix and start saslauthd:

/etc/init.d/postfix restart
/etc/init.d/saslauthd start
To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines




everything is fine.

The output on my system looks like this:

root@server:/etc/postfix/ssl# telnet localhost 25
Connected to localhost.localdomain.
Escape character is ‘^]’.
220 ESMTP Postfix (Ubuntu)
ehlo localhost
250-SIZE 10240000
250 DSN
221 2.0.0 Bye
Connection closed by foreign host.



Sent to any email I tried to hotmail and gmail and proved that I received the email and sent to all Besatp is pleased




Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  เปลี่ยนแปลง )

Google+ photo

You are commenting using your Google+ account. Log Out /  เปลี่ยนแปลง )

Twitter picture

You are commenting using your Twitter account. Log Out /  เปลี่ยนแปลง )

Facebook photo

You are commenting using your Facebook account. Log Out /  เปลี่ยนแปลง )


Connecting to %s