完美的服务器 - Ubuntu 15.04(Vivid Vervet)与Apache,PHP,MySQL,PureFTPD,BIND,Postfix,Dovecot和ISPConfig 3

本教程介绍如何安装Ubuntu 15.04(Vivid Vervet)服务器(使用Apache2,BIND,Dovecot)来安装ISPConfig 3,以及如何...

完美的服务器 - Ubuntu 15.04(Vivid Vervet)与Apache,PHP,MySQL,PureFTPD,BIND,Postfix,Dovecot和ISPConfig 3

本教程将显示使用Apache2,Postfix,Dovecot,Bind和PureFTPD安装Ubuntu 15.04(Vivid Vervet)Web托管服务器服务器,以准备安装ISPConfig 3 。 所产生的系统将提供Web,邮件,邮件列表,DNS和FTP服务器。

ISPConfig 3是一个Web主机控制面板,允许您通过Web浏览器配置以下服务:Apache或nginx Web服务器,Postfix邮件服务器,Courier或Dovecot IMAP / POP3服务器,MySQL,BIND或MyDNSNameservers,PureFTPd,SpamAssassin,ClamAV , 还有很多。 此设置包括安装Apache(而不是nginx),BIND(而不是MyDNS)和Dovecot(而不是Courier)。

初步说明

在本教程中,我使用hostname server1.example.com ,IP地址为192.168.1.100和网关192.168.1.1 。 这些设置可能会有所不同,因此您必须在适当的情况下更换它们。 在继续进行之前,您需要安装Ubuntu 15.04的基本安装,如教程中所述。

2.编辑/etc/apt/sources.list并更新Linux安装

编辑/etc/apt/sources.list 。 从文件中注释或删除安装CD,并确保启用了Universemultiverse存储库。 以后应该看起来像这样:

nano /etc/apt/sources.list

#

# deb cdrom:[Ubuntu-Server 15.04 _Vivid Vervet_ - Release amd64 (20150422)]/ vivid main restricted

#deb cdrom:[Ubuntu-Server 15.04 _Vivid Vervet_ - Release amd64 (20150422)]/ vivid main restricted

# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://de.archive.ubuntu.com/ubuntu/ vivid main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ vivid main restricted

## Major bug fix updates produced after the final release of the
## distribution.
deb http://de.archive.ubuntu.com/ubuntu/ vivid-updates main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ vivid-updates main restricted

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
deb http://de.archive.ubuntu.com/ubuntu/ vivid universe
deb-src http://de.archive.ubuntu.com/ubuntu/ vivid universe
deb http://de.archive.ubuntu.com/ubuntu/ vivid-updates universe
deb-src http://de.archive.ubuntu.com/ubuntu/ vivid-updates universe

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://de.archive.ubuntu.com/ubuntu/ vivid multiverse
deb-src http://de.archive.ubuntu.com/ubuntu/ vivid multiverse
deb http://de.archive.ubuntu.com/ubuntu/ vivid-updates multiverse
deb-src http://de.archive.ubuntu.com/ubuntu/ vivid-updates multiverse

## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb http://de.archive.ubuntu.com/ubuntu/ vivid-backports main restricted universe multiverse
deb-src http://de.archive.ubuntu.com/ubuntu/ vivid-backports main restricted universe multiverse

deb http://security.ubuntu.com/ubuntu vivid-security main restricted
deb-src http://security.ubuntu.com/ubuntu vivid-security main restricted
deb http://security.ubuntu.com/ubuntu vivid-security universe
deb-src http://security.ubuntu.com/ubuntu vivid-security universe
deb http://security.ubuntu.com/ubuntu vivid-security multiverse
deb-src http://security.ubuntu.com/ubuntu vivid-security multiverse

## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
# deb http://archive.canonical.com/ubuntu vivid partner
# deb-src http://archive.canonical.com/ubuntu vivid partner

然后跑

apt-get update

更新apt包数据库和

apt-get upgrade

安装最新的更新(如果有的话)。 如果您看到新内核作为更新的一部分进行安装,那么您应该重新启动系统:

reboot

3.更改默认Shell

/ bin / sh/ bin / dash的符号链接,但是我们需要/ bin / bash ,not / bin / dash 。 所以我们这样做:

dpkg-reconfigure dash

使用破折号作为默认系统shell(/ bin / sh)? < - 不

如果不这样做,则ISPConfig安装将失败。

4.禁用AppArmor

AppArmor是一个安全扩展(类似于SELinux),应该提供扩展的安全性。 在我看来,你不需要配置一个安全的系统,它通常会导致更多的问题,而不是优势(考虑到你做了一周的故障排除后,因为一些服务不能按预期工作,然后你发现一切都很好,只有AppArmor导致了这个问题)。 因此我禁用它(如果你想稍后安装ISPConfig,这是必须的)。

我们可以禁用它:

service apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils

5.同步系统时钟

运行物理服务器时,通过Internet同步系统时钟和NTP( n etwork协议)服务器是个好主意。 如果您运行虚拟服务器,那么您应该跳过此步骤。 赶紧跑

apt-get install ntp ntpdate

您的系统时间将始终保持同步。

6.安装Postfix,Dovecot,MariaDB,phpMyAdmin,rkhunter,binutils

要安装postfix,我们需要确保sendmail没有安装并运行。 要停止并删除sendmail,请运行以下命令:

service sendmail stop; update-rc.d -f sendmail remove

错误信息:

Failed to stop sendmail.service: Unit sendmail.service not loaded.

是的,这只是意味着sendmail没有安装,所以没有什么可以删除的。

现在我们可以使用一个命令安装Postfix,Dovecot,MariaDB(作为MySQL替换),rkhunter和binutils:

apt-get install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo

您将被问到以下问题:

Create a self-signed SSL certificate? <-- yes
Host name: <-- server1.example.com
General type of mail configuration: <-- Internet Site
System mail name: <-- server1.example.com

接下来在Postfix中打开TLS / SSL和提交端口:

nano /etc/postfix/master.cf

取消注释提交smtps部分如下 - 添加-o smtpd_client_restrictions = permit_sasl_authenticated行,拒绝两个部分,并留下所有其他的评论:

[...]
submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
[...]

之后重新启动Postfix:

service postfix restart

我们希望MySQL在所有接口上监听,而不仅仅是localhost,因此我们编辑/etc/mysql/my.cnf并注释掉bind-address = 127.0.0.1

nano /etc/mysql/mariadb.conf.d/mysqld.cnf

[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           = 127.0.0.1
[...]

现在我们在MariaDB中设置了一个root密码。 跑:

mysql_secure_installation

你会被问到这些问题:

Enter current password for root (enter for none): <-- press enter
Set root password? [Y/n] <-- y
New password: <-- Enter the new MariaDB root password here
Re-enter new password: <-- Repeat the password
Remove anonymous users? [Y/n] <-- y
Disallow root login remotely? [Y/n] <-- y
Reload privilege tables now? [Y/n] <-- y

然后我们重新启动MariaDB:

service mysql restart

现在检查网络是否启用。 跑

netstat -tap | grep mysql

输出应如下所示:

root@server1:~# netstat -tap | grep mysql
tcp        0      0 *:mysql                 *:*                     LISTEN      24603/mysqld    
root@server1:~# 

7.安装Amavisd-new,SpamAssassin和Clamav

要安装amavisd-new,SpamAssassin和ClamAV,我们运行

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl

ISPConfig 3设置使用amavisd在内部加载SpamAssassin过滤器库,因此我们可以停止SpamAssassin释放一些RAM:

service spamassassin stop
update-rc.d -f spamassassin remove

编辑clamd配置文件:

nano /etc/clamav/clamd.conf

并换行:

AllowSupplementaryGroups false

至:

AllowSupplementaryGroups true 

并保存文件。 开始clamav使用

freshclam
service clamav-daemon start