ISPConfig is an open source, transparent, free, stable and secure administration tool, available in more than 20 languages. ISPConfig simplifies the management of various web hosting services such as DNS configuration, domain name management, email or FTP file transfer. It can be used to manage a single server, multiple servers for larger setups or even mirrored clusters.
- You have an account and are logged into console.scaleway.com
- You have configured your SSH Key
- You have a Scaleway Instance running Ubuntu
- For performance reasons, it is recommended to use an instance with at least 4GB of RAM
- You have a domain or subdomain pointed to your Instance
- You have set the hostname and reverse DNS of your instance to a valid FQDN
1 . Log yourself into your instance via SSH
2 . Update and upgrade the software already installed on the instance:
apt update && apt upgrade -y
3 . Change the default shell.
/bin/sh is a symlink to
/bin/dash, but ISPConfig requires bash as shell. Reconfigure it to
When asked the following question, answer with No:
Use dash as the default system shell (/bin/sh)?
If you skip this step, the ISPConfig installation will fail.
4 . Disable and remove AppArmor as it might cause conflicts during the installation of ISPConfig:
update-rc.d -f apparmor remove apt-get remove apparmor apparmor-utils
apt install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd sudo -y
During the installation, you will be asked some questions regarding the configuration of Postfix, answer them as following:
General type of mail configuration:Internet Site
System mail name:server.yourdomain.com (Your FQDN)
6 . Edit the file /etc/postfix/master.cf by uncommenting the line
-o smtpd_client_restrictions=permit_sasl_authenticated,reject in both,
smtps, sections and leave everything thereafter commented. Make sure to place the whitespaces before each line, as they are required:
[...] submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING [...]
7 . Save the file, exit your text editor and restart postfix:
service postfix restart
8 . Open the file /etc/mysql/mariadb.conf.d/50-server.cnf in a text editor and comment-out the line
bind-address as following to enable connections from other hosts. Also add the value
sql-mode="NO_ENGINE_SUBSTITUTION" as this SQL mode is required by ISPConfig3:
[...] # Instead of skip-networking the default is now to listen only on # localhost which is more compatible and is not less secure. #bind-address = 127.0.0.1 # Requred SQL Mode for ISPConfig3 sql-mode ="NO_ENGINE_SUBSTITUTION" [...]
9 . Initialize the MariaDB server:
You will be asked several questions that should be answered as following:
Enter current password for root (enter for none):Press Enter
Set root password? [Y/n]Y
New password:Enter the new MariaDB root password
Re-enter new password:Repeat the password
Remove anonymous users? [Y/n]Y
Disallow root login remotely? [Y/n]Y
Reload privilege tables now? [Y/n]Y
10 . Set the password authentication method to Native:
echo "update mysql.user set plugin = 'mysql_native_password' where user='root';" | mysql -u root
11 . Open the file /etc/mysql/debian.cnf and add your password to the configuration:
# Automatically generated for Debian scripts. DO NOT TOUCH! [client] host = localhost user = root password = MY_SECRET_PASSWORD socket = /var/run/mysqld/mysqld.sock [mysql_upgrade] host = localhost user = root password = MY_SECRET_PASSWORD socket = /var/run/mysqld/mysqld.sock basedir = /usr
MY_SECRET_PASSWORD with the password you have set in a previous step.
12 . Save the file, exit your text editor and restart the MariaDB service:
service mysql restart
apt install amavisd-new spamassassin clamav clamav-daemon unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl postgrey -y
14 . Amavisd-new loads the SpamAssassin filter library internally, it can be stopped to free up some RAM:
service spamassassin stop update-rc.d -f spamassassin remove
15 . Update the antivirus signatures and start the service:
freshclam service clamav-daemon start
apt install nginx fcgiwrap php7.0 php7.0-common php7.0-fpm php7.0-gd php7.0-mysql php7.0-imap php7.0-cli php7.0-cgi php-pear mcrypt imagemagick libruby php7.0-curl php7.0-intl php7.0-pspell php7.0-recode php7.0-sqlite3 php7.0-tidy php7.0-xmlrpc php7.0-xsl memcached php-memcache php-imagick php-gettext php7.0-zip php7.0-mbstring php-soap php7.0-soap -y
Important: It is possible to reduce the list of PHP modules, if you do not require all of them.
17 . Open the file /etc/php/7.0/fpm/php.ini in a text editor, add the line
cgi.fix_pathinfo=0 and edit your timezone. The file should look like the following example:
[...] ; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. $ ; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not $ ; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Se$ ; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A sett$ ; of zero causes PHP to behave as before. Default is 1. You should fix your s$ ; to use SCRIPT_FILENAME rather than PATH_TRANSLATED. ; http://php.net/cgi.fix-pathinfo cgi.fix_pathinfo=0 [...] [Date] ; Defines the default timezone used by the date functions ; http://php.net/date.timezone date.timezone ="Europe/Paris" [...]
18 . Install PHPMyAdmin:
apt install phpmyadmin php-mbstring php-gettext -y
During the installation you will be asked if you want to configure a web server automatically, skip this step as Nginx is used. Wen asked if the database should be configured with dbconfig-common, choose yes and press Enter to generate a random password. Alternatively you can choose an own password when prompted.
Important: Once ISPConfig is installed, you can access PHPMyAdmin at
19 . Install
certbot to manage Let’s Encrypt SSL certificates:
apt install software-properties-common -y add-apt-repository universe add-apt-repository ppa:certbot/certbot apt update apt install certbot -y
Once installed create a Let’s Encrypt account by running the following command and answering to the questions:
20 . Install the PureFTPd FTP-server and quotas by running the following command:
apt install pure-ftpd-common pure-ftpd-mysql quota quotatool -y
Once installed, open a the file /etc/default/pure-ftpd-common in your favourite text editor and make enable
VIRTUALCHROOT by setting the value to true:
[...] # VIRTUALCHROOT: # whether to use binary with virtualchroot support # valid values are "true" or "false" # Any change here overrides the setting in debconf. VIRTUALCHROOT=true [...]
Enable TLS by typing:
echo 1 > /etc/pure-ftpd/conf/TLS
In order to use a SSL certificate is required. To create one, a corresponding directory must be created first. Run the following command to create it:
mkdir -p /etc/ssl/private/
Then generate the certificate by running the following command:
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Answer the questions to generate the request:
Country Name (2 letter code) [AU]:Enter the two letter country code of your country. For example FR
State or Province Name (full name) [Some-State]:Enter the name of your region. For example Ile de France
Locality Name (eg, city) :Enter the name of your locality or city. For example: Paris
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Enter the name of your company or organization. For example: Scaleway
Organizational Unit Name (eg, section) :Enter the name of your unit or department. For example: Documentation & Tutorials
Common Name (e.g. server FQDN or YOUR name) :Enter the FQDN of your instance. For exeample: ispcp.mydomain.tld
Email Address :Enter your email address. For example: email@example.com
Update the permissions of the SSL certificate:
chmod 600 /etc/ssl/private/pure-ftpd.pem
service pure-ftpd-mysql restart
21 . Edit the file /etc/fstab by adding
usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 it should look like the following example:
# Generated by Scaleway's build system PARTUUID=9d906626-d654-4523-adac-6a66ebcb016f / ext4 rw,relatime,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0 1 PARTUUID=2c2cbf1f-5411-4834-95aa-68674958199c /boot/efi vfat rw,relatime,errors=remount-ro,nofail 0 2
Then enable quotas by running the following commands:
mount -o remount / quotacheck -avugm quotaon -avug
apt install bind9 dnsutils haveged vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl -y
Open the file /etc/cron.d/awstats and edit it as the following example:
MAILTO=root /10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh # Generate static reports: 10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
apt install build-essential autoconf automake1.11 libtool flex bison debhelper binutils -y cd /tmp wget http://olivier.sessink.nl/jailkit/jailkit-2.19.tar.gz tar xvfz jailkit-2.19.tar.gz cd jailkit-2.19 echo 5 > debian/compat
Build the Jailkit package by running
Then install the tool and by running the following commands:
cd .. dpkg -i jailkit_2.19-1_*.deb rm -rf jailkit-2.19*
apt install fail2ban ufw -y
Create and open the file /etc/fail2ban/jail.local in your favourite text editor and paste the following content into it to monitor SSH, PureFTPd and Dovecot:
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 [pure-ftpd] enabled = true port = ftp filter = pure-ftpd logpath = /var/log/syslog maxretry = 3 [dovecot] enabled = true filter = dovecot action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] logpath = /var/log/mail.log maxretry = 3 [postfix] enabled = true port = smtp filter = postfix logpath = /var/log/mail.log maxretry = 3
Restart file2ban to apply the configuration:
service fail2ban restart
25 . Install the Roundcube web mail interface via apt:
When asked if you want to configure the database with dbconfig-common, choose
Yes, then press enter on your keyboard to generate a random password for the Roundcube database.
Open the file /etc/roundcube/config.inc.php in a text editor and change the
default_host value to
$config['default_host'] = 'localhost';
Create a symlink to use the SquirrelMail configuration in ISPConfig for Roundcube:
ln -s /usr/share/roundcube /usr/share/squirrelmail
Important: After installation of ISPConfig, your webmail will be available at
26 . Download and unpack ISPConfig3 by running the following commands:
cd /tmp wget https://git.ispconfig.org/ispconfig/ispconfig3/-/archive/3.1.7/ispconfig3-3.1.7.tar.gz tar xfz ispconfig3*.tar.gz cd ispconfig3*/install/
The installer will guide you to the setup of ISPConfig3 and configures all required services. Start it with the following command:
php -q install.php
The installer will ask you several questions about the configuration of ISPConfig3. The values in brackets are pre-filled:
Select language (en,de) [en]: Select the default language for the interface. During installation you can choose between English (en) and German (de). Other languages can be installed from the admin interface once the software is installed.
Installation mode (standard,expert) [standard]: Select the installation mode: Standard or Expert. You can keep the default value and validate it by pressing on Enter.
Full qualified hostname (FQDN) of the server, eg server1.domain.tld [ispcp.mydomain.tld]: Enter the FQDN of your instance. Normally this value is pre-filled and you can confirm it by pressing Enter on your keyboard.
MySQL server hostname [localhost]: Enter the hostname of the database server. Since MariaDB is running on the local host, validate the default value by pressing Enter on your keyboard.
MySQL server port : The MySQL server port. As the server is running on the standard port, validate the default value by pressing Enter on your keyboard.
MySQL root username [root]: The MySQL user name. Validate the default value by pressing Enter on your keyboard.
MySQL root password : Enter the password of the MySQL user that you have configured at the beginning of the tutorial.
MySQL database to create [dbispconfig]: The name of the database ISPConfig will use. Validate the default value by pressing Enter on your keyboard.
MySQL charset [utf8]: The charset of your database. Validate the default value by pressing Enter on your keyboard.
ISPConfig Port : The port on which ISPConfig will listen. Validate the default value by pressing Enter on your keyboard.
Admin password [admin]: The administrator password. You can keep the default value and change the password after installation from the web interface. Validate the default value by pressing Enter on your keyboard.
Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: Provide a SSL encrypted connection to the admin interface. Validate the default value by pressing Enter on your keyboard.
During setup you will be asked to enter information about the SSL certificate for the web interface. Enter the required information as done previously.
You can now open a web browser and type https://YOUR_FQDN:8080/ (for example:
https://ispconfig.example.com:8080/). The login screen will appear:
Login with the follwoing credentials:
You are now logged into ISPConfig and can change your password, create users, sites, mailboxes etc:
For more information, how to manage your sites with ISPConfig, refer to the official documentation.