Microsoft Exchange: Fortify and secure your mail server!

So, I just (mostly) finished with writing a blog on how to setup a Postfix Reverse Mail Proxy that works as a SPAM filter for your Exchange Server. A blog I wrote before that was about network architecture that I feel any organization should be able to do, regardless of the size of the company. Those two blogs really had a lot to do with security at the perimeter of the network. I would like to continue working on securing email and increasing the security and reliability of your MS Exchange environment, while at the same time not impeding on usability or scalability.

In this blog we’ll look at securing and fortifying your Exchange Server. If you look at Microsoft’s website, and the people talking out on the “social.technet.microsoft.com” site, you’ll hear people say asinine things like, “upon installation it’s already secure,” or, “Exchange server comes secure by default,” or something like that. I’m sorry, but any product that you purchase can be made more secure. If that weren’t the case, then why run “Windows Updates”, install patches, configure firewalls or setup SPAM filtering? I don’t care what product you’re talking about, there is ALWAYS something you can do in order to make things more secure.

There are many reasons for wanting to secure your Exchange infrastructure, but the main reason why is for availability. Many organizations rely on email as a backbone to their communications; especially small businesses. If your company lost email communications for even a day, how much productivity would be lost? How much credibility would be lost if outside senders couldn’t get their mail to your organization? But most of all, what if your Exchange server was used as a mass SPAM gateway that caused many other companies, partners or customers to be infected? The cost of cleaning up SPAM, junk, viruses, Malware, or in worst case scenario, a breach, could be in the tens or hundreds of thousands of dollars.

In this economy, no one can afford to go through something like that. It’s not even an option. So in this blog, it is my intention to show you how to effectively secure your Exchange Server(s), increase SPAM fighting ability, lock down users mailboxes, and I’ll do my best at providing some Power Shell Scripts to help out scripting a lot of these tasks. Most of all, I’m going to tell you that over time, this blog will grow to be pretty long. I don’t expect that this blog will just be a “set it and forget it” deal. Exchange administration is an ongoing effort, much like the hacking community. It’s constantly evolving with trying to minimize SPAM, decrease the frontage of your environment, while at the same time, allowing users to Sync with their phones, check web mail on the road, connect with MS Outlook and still receive the same level of service that they would expect from any other company. The last thing I want to hear is that something detailed and outlined on this blog caused an IT guy his job, or got him in trouble, because he implemented something that broke Exchange or caused an outage.

As for this blog, I want to set some barriers on what this blog IS, and IS NOT. If you’re looking for a Windows Server Hardening guide, you’re in the wrong spot. I’m currently working on a Windows Server hardening guide that will take existing MSBs, take the best of breed, and get them into GPOs and scripts that you can use on your Windows Server infrastructure. That blog can be found #here# when it is complete. Until then, what this blog is going to focus on will not be the OS layer. We’re looking at hardening Exchange, and Exchange only!

 

First thing we’re going to do is provide a brief overview of what’s going on with Exchange from a AD permissions standpoint. Most everything that Exchange does is based on Kerberos tickets, so my biggest suggestion is that you keep time on your domain extremely tightly. A hardware clock on a server can get out of sync pretty quickly, especially if the CMOS battery is going bad, so it’s best to make sure that your Exchange server and your domain controllers are all synced together by an external time source. Another good practice is to designate two (2) or more computers, preferably servers, to host an NTP service that is able to sync with the outside world at a reputable time source like NIST, Microsoft, or NASA. That server should be the only one that can communicate over port udp/123 to the outside world. Then you can allow all your servers, regardless of what network segment you put them in, to talk to your NTP server(s). Refer to my Network Architecture blog for what your forward facing DMZ should look like.

I’m going to skip going through setting up Exchange Roles. Reason being is that in smaller environments it’s really not feasible to delegate administrative access and give certain Admins a read only view, or that group of Admins Exchange Recipient Admins access, and so on. Even in larger companies, you may only have a small handful of Exchange Admins who all have full administration rights. So we wont get into those roles and permissions. It is possible to do that stuff, but at the end of the day, most companies these days do a pretty good job at vetting out who they give administrator rights to, there are signed agreements with those employees, and other mitigating controls. You’re going to have to trust your Exchange Admins. And if you don’t, you better trust your Backup Administrators.

You’ve probably noticed that Exchange 2010 permissions have even changed since prior editions. No longer are you setting up Exchange permissions inside the Exchange Management Console. You’ll be taking care of this stuff in Active Directory from now on due to Microsoft’s new security model. They’ve taken the approach of a true Role Based Access Control (RBAC) and they outline all of this information here at their site. The main permission that you’ll be concerned with is the Organization Management role. You can see that all the roles are in the “Microsoft Exchange Security Groups” OU in AD. See below:

 

Next thing to talk about is your Exchange Server, or at least the Physical- or VM-Server that you have Exchange running on. The underlying setup of this machine is very important to how Exchange will operate. If there are issues with the server getting DNS update mail will stop flowing, if the time is off your admins wont be able to administer the box, if there are errors or warnings in the event logs those need to be fixed, etc… It’s very important to monitor the event logs of your Server(s). While I am not blind to the fact that in the real world there are constantly issues arising on the network, but many issues can be minor issues if they aren’t let go to become large issues. The underlying theme here is to Harden Server 2008. Please go through that blog first, before venturing forward here.

 

Please go harden you Server 2008 Box before going forward

 

So now that your Server 2008 box is hardened, we can move on. To be honest, there really isn’t much to do on the Exchange side of the house. If you’ve gotten a SPAM filter sitting in front of your Exchange Servers, as I’ve outlined in my previous Postfix Mail Relay SPAM Filter blog, you’re already doing pretty well. There are many things that a front-end SPAM filter should be doing that Exchange shouldn’t. Exchange is a messaging platform. It’s really good at doing things like delivering email, working with Calendars, scheduling appointments, and keeping lines of communication open. From here on out it’s pretty much just controlling permissions to Exchange, between mailboxes and calendars, etc… There are other tasks such as Microsoft’s Security Configuration Wizard (SCW), granting users access to other mailboxes, creating conference rooms, Federation Services with other domains, ActiveSync controls, remote device wipe, internal and external receive connectors, and Exchange Certificates, that I’ll attempt to cover here.

 

One of the biggest things I hate to see is when you look at the message headers on an email from outside your organization. Hardly anyone updates the info on those things. I know it’s not really that much information, but you can easily divulge a few pretty important pieces of information from email message headers. The main two are your Internal Domain Name and your Internal IP Address space where your Exchange server lives. Especially in small companies, it’s extremely common to see that the server farm sits at either the top or the bottom of a /24 (like 192.168.10.0). What I mean is, these small companies have less than 10 servers most of the time, so you know all of their internal systems are on the same subnet. We want to take those pieces of information out of the header. To do that is very easy, just two or three Exchange PowerShell commands.

The following command, according to Microsoft’s Social pages, “When you remotely connect to PoSh (enter-pssession, invoke-command), unless you specify otherwise, it loads the default PowerShell shell with no added modules. When you run the command from your Exchange 2010 server, you’re probably running the commands from the Exchange Management Shell (EMS) that preloads a bunch of cmdlets in the background — that’s how you get the tip-of-the-day and such.

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010 -ea SilentlyContinue

 

This command will disable ms-Exch-Send-Headers-Routing extended right, which in turn enabled the header firewall. Make sure to change “InternetConnectorName” to whatever your send connector is named.

Get-SendConnector –InternetConnectorName | Remove-ADPermission –User “NT AUTHORITY\ANONYMOUS LOGON”
–ExtendedRights ms-Exch-Send-Headers-Routing

 

Then to make sure that your settings are taken care of, push a synchronization to your edge servers like this:

Start-EdgeSynchronization

 

After running your commands you can log into a Domain Controller (given that you have the available rights) and check this in the ASDI Editor. You can see that the send connector security has changed. To do this, run ADSI Edit from the Start Menu, then Administrative Tools, ASDI Editor. When that starts up, click on File, then “Connect to” and connect to the configuration naming context (the drop down menu in the center of the screen), as you can see below:

After you get to this point, Expand “Domain Root \ your domain\ Services \ Microsoft Exchange \ {your Exchange organization} \ Administrative Groups \ Exchange Administrative Group (FYDIBOHF23SPDLT) \ Routing Groups \ Exchange Routing Group (DWBGZMFD01QNBJR) \ Connections”. As seen below:

As you see here, you will find the send connectors in the center panel. To verify the security changes have taken effect, double-click on the connector that you are working on and then click the “Security” tab. verify that the “ANONYMOUS LOGON” user has no check boxes enabled except for “Special Permissions” as you can see below:

 
 

I don’t know why I am saying this, but I feel that it should be stated that Exchange shouldn’t be running on a Domain Controller. I know Microsoft ships Windows Small Business Server with Exchange and SQL and other technologies built into it, but that is the only exception I’ll be making here. There are many reasons for wanting to separate Exchange services from a domain controller, but I would say the main reasons are, separation of duties and that if your Exchange box gets popped, the attackers already own your DC. Separation of duties is simple; each server in your organization should only be hosting 1 service. We do that for a number of reasons, such as making troubleshooting easier. Also, don’t forget, your Exchange box hosts web mail for your organization. Do you want a website hosted off your DC that is publicly available to everyone on the Internet? I think not.

 

Another good tool to use is the Exchange Best Practices Analyzer. Pending how large your organization is, this can take a significant amount of time to complete, but the information you’ll get out of it is pretty useful. There are a few different areas you can test in there including, Performance, Permissions, Baseline and a Connectivity Test. I would suggest finding the time to run all of the scans.

 

Don’t forget to be constantly updating settings in your Exchange Spam Filtering, too. I know what you’re thinking. You’re probably thinking, “This dude just told me that we shouldn’t use the Exchange SPAM filter, that we should be using his Postfix Mail Relay instead.” And you would be right. You should use that. BUT! Everything in moderation, and security in layers. If you put all your faith in any one piece of technology, that’s bad. Like I said before, the day that you can buy one product that will secure everything, is the day that I’m out of a job.

First, if you haven’t already, you’ll have to enable some stuff. Let’s get the SPAM filter enabled.

 cd 'C:\Program Files\Microsoft\Exchange Server\V14\Scripts'
.\install-AntispamAgents.ps1
Restart-Service MSExchangeTransport

 

Once that’s completed, we can tune the SPAM filter that is part of Exchange. You’ll find that in the Hub Transport area of the Organization Configuration in the EMC (seen below):

 

Make sure to go through all of those Features and set them up the way you want them to work. Some of this stuff overlaps the stuff in the Postfix Mail Relay, but if you aren’t using that go ahead and set them up here. The nice thing about setting up these options in the Exchange Server is that it’s scriptable. I mean, for all intensive purposes, it is scriptable in the Postfix Mail Relay too, but you have the ability to do that here too. Get a couple PowerShell cmdlets together and you can add stuff on the fly to this SPAM filter.

One nice thing here is that if you don’t want to tie your Postfix Mail Relay into Active Directory, you can block the messages here as well. What I mean by that is, Exchange will receive an email, check to see if the person exists in AD, and if they don’t it will block the message. The Postfix Mail Relay has the same capability, but with much more setup work to be done. This is just a simple checkbox, as seen below.

 

You’ll want to go through the settings in both the Exchange ActiveSync Mailbox Policies, as well as the Outlook Web App Mailbox Policies. There are many settings in there that

 

Another thing that should be obvious, but I’ll mention anyways, is that POP3 and IMAP should be disabled, and left disabled. There’s no need for that stuff. In Linux you can run DavMail for your local mail proxy, and in Windows and Mac you should be just running MS Office (with some version of Outlook). If you’re running an AD and Exchange environment, most of your users are probably using Outlook anyways, and they should be using Outlook 2007 or 2010 in order to get the most functionality out of Exchange. In all actuality, Even your Linux people really should have a Windows 7 VM running for Outlook, Visio and Office.

 
 

I’ll be going through and updating this as I have time… I’m burnt out on all this stuff, so check back periodically for updates!

 
 

 
 

 
 

 
 

 

 

 

 

 

 

 

References:
http://technet.microsoft.com/en-us/library/aa996604(v=exchg.141).aspx

http://www.techieshelp.com/add-an-administrator-to-exchange-2010/

VN:F [1.9.22_1171]
Rating: 1.0/5 (1 vote cast)
VN:F [1.9.22_1171]
Rating: -1 (from 1 vote)

Open Source: Postfix Mail Relay, SPAM filter, DNS Server, Web Server, AWStats, ISPConfig3 and More!


Everyone out there hates SPAM, right? I know I do. And my domain isn’t out there that much, so I can’t say that I get anywhere near as much SPAM mail as some large enterprise businesses do. What If I told you that your Barracuda Spam filter, or your McAfee Spam Filter, or whatever paid product, is junk? What if I told you that we can get you up and running with a FREE SPAM filter for your mail server. What if I told you that it was just as easy to setup and use as your current SPAM filter? How about this question: How much are you paying for your current SPAM filter?

Well, this blog post is getting put together for all you people out there that love spending money on useless junk. Welcome to the world of Free Software projects that have been around for well more than a decade. Instead of paying $100+ grand a year on an appliance, how about you employ a real person to manage a few Linux boxes? That’s entirely what we’re planning right here. So come along, we’re going to show you how to setup your already existing Microsoft Exchange server to sit in a more secure, higher tier DMZ, and setup a Debian server, from scratch, to host a Postfix server that is going to work with Amavis, Spam Assassin, and ClamAV to securely inspect all your mail.

Warning… This blog is long. Be prepared, and make sure you have TIME!

I very seriously recommend following my previous blog on how to build a Debian Server: Debian Minimal Install

 
 

But if you want to just push forward, just follow these instructions:
 
 
Let’s start with getting your Debian server built and running. Start with getting a Virtual Machine up and running. Boot to your Small Debian ISO and kick off the install.
 
You can really just hit “next” on many of the screens during the install. English language, USA, keyboard layout American English, etc…
 
Make sure you pick a server name that is going to last a while, like CompanySPAM01, or something unique like that.
 
Setup your domain name, root password, user accounts, etc…
 
Setup your partitions however you deem fit, install packages, pick a local Debian Mirror repository, etc…
 
NOW, when you get to Software Selection, DO NOT INSTALL “Graphical Desktop Environment”. The only thing you need is an SSH Server and the “Standard System Utilities”.
 

Install the GRUB boot loader as normal, and boom, you’re done!

 
 

Alright, so boot up your new Debian server, and lets get going. Log in as root or whatever user you created and lets get some housekeeping completed.

 

So Let’s get a static Address on this thing by editing this file: /etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
#allow-hotplug eth0
#iface eth0 inet dhcp
auto eth0
iface eth0 inet static
address 192.168.0.100
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1

 

And you can restart networking with this:

/etc/init.d/networking restart

 

Next we’ll get the SSH Server so we can get some remote access to this server.

apt-get install ssh openssh-server openssh-client

 

When that’s done you should be able to SSH from your local machine to this virtual host using:

ssh steve@192.168.0.100

 
 

You’ll probably want to sudo from this user, so if that’s the case:

su root
Password:
# apt-get install sudo
#nano /etc/sudoers

 
 

When Editing the sudoers file, if you break it, have fun! Just copy the line where root is and paste it right below, change the name root to your username. Like this:

# User privilege specification
root ALL=(ALL) ALL
steve ALL=(ALL) ALL

 
 

Now, we need to update this thing to install “Dotdeb” software. So Edit your “/etc/apt/sources.list”

# Dotdeb repository
deb http://packages.dotdeb.org squeeze all
deb-src http://packages.dotdeb.org squeeze all

 
 

Now we can add the GPG key:

wget http://www.dotdeb.org/dotdeb.gpg
cat dotdeb.gpg | sudo apt-key add -
Ok!
#apt-get update
apt-get upgrade

 
 

Now we need to make sure that NTP is installed and running properly on our new server, we’ll also need Postfix, Amavisd, SpamAssassin, ClamAV, and a slew of other software. And at the same time go ahead and install Bind9 if you plan on hosting your Externally facing DNS zones from here. It’s not a bad idea, and even if you’re a small company, you can easily do this on your own.

apt-get install ntp ntpdate

 

Then you can “sudo nano /etc/ntp.conf”

# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntp/ntp.drift
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

# Specify one or more NTP servers.

server kerberos.mydomain.com #insert your PDC here
server kerberos2.mydomain.com #secondary DC
server kerberos3.mydomain.com #third DC
server 1.ubuntu.pool.ntp.org #fall back to Ubuntu's NTP
server 2.ubuntu.pool.ntp.org #
server 3.ubuntu.pool.ntp.org #
#

 
 

Now install more software:

apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils

 

During the install, Postfix will ask you for what type of site, make sure to choose “INTERNET SITE”. The System mail name is going to be the primary domain name that you own and operate. In my case this is “erdmanor.com” Then you’ll be prompted to setup passwords for MySQL.

 

If you do a “netstat -ntap” you’ll see that MySQL is running binded to local loopback (127.0.0.1). We don’t want this. We need to make sure that MySQL is listening on all Interfaces, so edit out the bind address in this file “/etc/mysql/my.cnf”. Make sure to look at all the other options you can set in there too. It’s a pretty big conf file.

 

And when you’re done, restart the MySQL Server like this: “sudo /etc/init.d/mysql restart”

#bind-address = 127.0.0.1

 
 

Now rerun your “netstat -ntap” and verify that it’s running on 0.0.0.0:3306.

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN -

 
 

Alright, so let’s get some SPAM killing software installed. Running this command will prompt you to install this software and a ton of dependencies. Save your scroll back and you can go through that stuff later.

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl nginx

 
 

Awesome, now we have most of the software we need. Let’s get the website up and running for our PHPMyAdmin site and ISPConfig3 software. Now, I’m no PHP wizard or expert, but all of these packages are necessary. If you need more information, I’ve left some links in the sources portion of this blog, all the way at the bottom. Again, you’ll see a bunch of dependencies installed here.

apt-get install php5-fpm php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl fcgiwrap

 
 

Now we’re ready to install PhpMyAdmin:

apt-get install phpmyadmin

 

You’ll see that Apache is installed at this time, again with many other dependencies. When installing this software, make sure that you answer these questions:
1. Webserver to reconfigure: (this is a checkbox, dont check either of them).
2. Configure database for phpmyadmin with dbconfig-common?: NO

PhpMyAdmin is installed into this directory: “/usr/share/phpmyadmin/” You can check it out like this:

ls -alh /usr/share/phpmyadmin/

 
 

Like I stated before, Apache is installed now. We need to stop the Apache service while we’re configuring the server, and we need to make sure that Apache doesn’t start with the system too. We’ll turn it back on later. Then we can get nginx (Pronounced, Engine-X) started up.

sudo /etc/init.d/apache2 stop
sudo insserv -r apache2
sudo /etc/init.d/nginx start

 
 

Now we can get DNS working, but first we need to install it. We’ll configure it later.

apt-get install bind9 dnsutils

 
 

If you’re looking to get some statistics from your server and analize logs, etc… you’ll want to get some stat software installed.

“Vlogger is a little piece of code borned to handle dealing with large amounts of virtualhost logs. it’s bad news that apache can’t do this on its own. vlogger takes piped input from apache, splits it off to separate files based on the first field. it uses a file handle cache so it can’t run out of file descriptors. it will also start a new logfile every night at midnight, and maintain a symlink to the most recent file. for security, it can drop privileges and do a chroot to the logs directory.”

 

“The Webalizer is a fast, free web server log file analysis program. It produces highly detailed, easily configurable usage reports in HTML format, for viewing with a standard web browser.”

 

“AWStats is a free powerful and featureful tool that generates advanced web, streaming, ftp or mail server statistics, graphically. This log analyzer works as a CGI or from command line and shows you all possible information your log contains, in few graphical web pages. It uses a partial information file to be able to process large log files, often and quickly. It can analyze log files from all major server tools like Apache log files (NCSA combined/XLF/ELF log format or common/CLF log format), WebStar, IIS (W3C log format) and a lot of other web, proxy, wap, streaming servers, mail servers and some ftp servers.”

 

apt-get install vlogger webalizer awstats geoip-database

 
 

First thing we’ll do here is stop the AWStats cron job by commenting out all the lines in the AWStats Cron job. Start by editing this file: “/etc/cron.d/awstats”

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh
#
# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh

 
 

Next we’re going to make sure that Apache is stopped and that nginx is running so that we can install ISPConfig3. This is super important, otherwise you’ll have all kinds of issues when you install ISPConfig3!

sudo /etc/init.d/apache2 stop
sudo /etc/init.d/nginx restart

 
 

Now you need to download ISPConfig3 from their website. http://www.ispconfig.org/ispconfig-3/download/

cd ~/tarballs #create this directory if it doesn't exist.
wget http://prdownloads.sourceforge.net/ispconfig/ISPConfig-3.0.4.6.tar.gz
tar -zxvf ISPConfig-3.0.4.6.tar.gz
cd ~/tarballs/ispconfig3_install/install/
sudo php -q install.php

 
 

Now that the installer is running for ISPConfig3, and this will help you configure all the necessary services for you.

steve@:~/tarballs/ispconfig3_install/install$ sudo php -q install.php
PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/cli/conf.d/ming.ini on line 1 in Unknown on line 0
PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/cli/conf.d/ps.ini on line 1 in Unknown on line 0

--------------------------------------------------------------------------------
 _____ ___________   _____              __ _         ____
|_   _/  ___| ___ \ /  __ \            / _(_)       /__  \
  | | \ `--.| |_/ / | /  \/ ___  _ __ | |_ _  __ _    _/ /
  | |  `--. \  __/  | |    / _ \| '_ \|  _| |/ _` |  |_ |
 _| |_/\__/ / |     | \__/\ (_) | | | | | | | (_| | ___\ \
 \___/\____/\_|      \____/\___/|_| |_|_| |_|\__, | \____/
                                              __/ |
                                             |___/
--------------------------------------------------------------------------------


>> Initial configuration

Operating System: Debian 6.0 (Squeeze/Sid) or compatible

Following will be a few questions for primary configuration so be careful.
Default values are in [brackets] and can be accepted with .
Tap in "quit" (without the quotes) to stop the installer.

Select language (en,de) [en]: en

Installation mode (standard,expert) [standard]: standard

Full qualified hostname (FQDN) of the server, eg server1.domain.tld [server.erdmanor.com]:

MySQL server hostname [localhost]:

MySQL root username [root]:

MySQL root password []: {generate a long password here}

MySQL database to create [dbispconfig]: {something clever}

MySQL charset [utf8]:

Apache and nginx detected. Select server to use for ISPConfig: (apache,nginx) [apache]: nginx

Generating a 2048 bit RSA private key
.......+++
..................................................................+++
writing new private key to 'smtpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Ohio
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Erdmanor.com
Organizational Unit Name (eg, section) []:IT-IS
Common Name (eg, YOUR name) []:Steve Erdman
Email Address []:webmaster
Configuring Jailkit
Configuring SASL
Configuring PAM
Configuring Courier
PHP Warning: chmod(): No such file or directory in /home/steve/tarballs/ispconfig3_install/install/lib/installer_base.lib.php on line 838
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring Pureftpd
sh: cannot create /etc/pure-ftpd/conf/ChrootEveryone: Directory nonexistent
sh: cannot create /etc/pure-ftpd/conf/BrokenClientsCompatibility: Directory nonexistent
sh: cannot create /etc/pure-ftpd/conf/DisplayDotFiles: Directory nonexistent
sh: cannot create /etc/pure-ftpd/conf/DontResolve: Directory nonexistent
Configuring MyDNS
Configuring nginx
Configuring Vlogger
Configuring Apps vhost
Configuring Bastille Firewall
PHP Notice: Undefined index: fail2ban in /home/steve/tarballs/ispconfig3_install/install/install.php on line 263
Installing ISPConfig
ISPConfig Port [8080]:

Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: y

Generating RSA private key, 4096 bit long modulus
.................................................................................................................................................................................................................................................++
.............................................................................++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Ohio
Locality Name (eg, city) []:Concord-Twp
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Erdmanor.com
Organizational Unit Name (eg, section) []:IT-IS
Common Name (eg, YOUR name) []:Steve Erdman
Email Address []:webmaster@erdmanor.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:Erdman.cc
writing RSA key
Configuring DBServer
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Restarting services ...
Stopping MySQL database server: mysqld.
Starting MySQL database server: mysqld ..
Checking for tables which need an upgrade, are corrupt or were
not closed cleanly..
Stopping Postfix Mail Transport Agent: postfix.
Starting Postfix Mail Transport Agent: postfix.
Stopping amavisd: amavisd-new.
Starting amavisd: amavisd-new.
Stopping ClamAV daemon: clamd.
Starting ClamAV daemon: clamd .
Reloading PHP5 FastCGI Process Manager: php5-fpm.
Reloading nginx configuration: nginx.
Restarting nginx: nginx.
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] still could not bind()
Installation completed.

 
 
 

Now that you have ISPConfig3 installed, pop open a web browser and head over to your new ISPConfig3 control panel. The default credentials are super secure: admin:admin. Obviously you’re going to be changing those… RIGHT?!

 

You need to start by adding a new website to your ISPConfig3 admin console. So Click on “Sites” then “Create new website…”

 

Here you need to fill out the proper information. Server the site is hosted on, Domain Name you’re hosting, if you need CGI, SSI, SSL and the type of PHP you want. Obviously it’ll be active.

 

From what I’ve seen out on some other websites, we need to create some “mod_rewrite” aliases. Reason being is that the PhpMyAdmin console needs to be available from a few different URL’s. So If you’re hosting multiple hostnames or domains from this server, you’ll basically need to create an vhost alias for each one. It’s a lot of manual work, but at the end of the day it’ll be worth it. I got this code snippet from the www.howtoforge.com website, so make sure to visit them and say thanks!

This code MUST go into the “nginx Directives” field on the Options tab of each website managed inside ISPConfig3, as you can see in the graphic:

 location /phpmyadmin {
root /usr/share/;
index index.php index.html index.htm;
location ~ ^/phpmyadmin/(.+\.php)$ {
try_files $uri =404;
root /usr/share/;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 4k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_intercept_errors on;
}
location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
root /usr/share/;
}
}
location /phpMyAdmin {
rewrite ^/* /phpmyadmin last;

 
 

Now, from a security perspective, I would highly recommend disabling http (port 80) and only using https (SSL over port 443). I’m not stupid though and realize that not everyone can afford to pay for a site certificate. If you’re a small organization, make sure to only allow access to this server from the Internal network of your organization. Obviously this server should be sitting in your multi tiered DMZ as I outlined in a previous blog Serious network architecture that works for everyone.

 location /phpmyadmin {
root /usr/share/;
index index.php index.html index.htm;
location ~ ^/phpmyadmin/(.+\.php)$ {
try_files $uri =404;
root /usr/share/;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param HTTPS on; # fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 4k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_intercept_errors on;
}
location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
root /usr/share/;
}
}
location /phpMyAdmin {
rewrite ^/* /phpmyadmin last;
}

 
 

If you are using HTTPS across your site and you want to force user to use that, then you need to edit your “/etc/nginx/nginx.conf” conf file with this code below. Make sure that code gets placed inside your braces of the HTTP area, otherwise you’ll have all sorts of issues getting this to work:

http {
## Detect when HTTPS is used
map $scheme $fastcgi_https {
default off;
https on;
}
}

 

 

Then restart nginx:

sudo /etc/init.d/nginx restart

 
 

For nginx to work over both HTTP and HTTPS, you’ll need to go into your “nginx Directives” again and instead of the “fastcgi_param HTTPS on”, you need to add the line “fastcgi_param HTTPS $fastcgi_https” so that requests will work over both protocols.

 location /phpmyadmin {
root /usr/share/;
index index.php index.html index.htm;
location ~ ^/phpmyadmin/(.+\.php)$ {
try_files $uri =404;
root /usr/share/;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param HTTPS $fastcgi_https; # fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 4k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_intercept_errors on;
}
location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
root /usr/share/;
}
}
location /phpMyAdmin {
rewrite ^/* /phpmyadmin last;
}

 
 

Now, lets get back to the Mail setup. Start with running the “newaliases” command, then restart Postfix.

newaliases
/etc/init.d/postfix restart

 
 

So from here on out everything should be able to be managed from the ISPConfig3 Control Panel. if you have any further questions, feel free to contact me!

 
 
 
 

Sources:
http://www.dotdeb.org/
http://wiki.nginx.org/Main
http://php-fpm.org/about/
http://php.net/manual/en/book.apc.php
http://www.if-not-true-then-false.com/2012/php-apc-configuration-and-usage-tips-and-tricks/
http://nginx.localdomain.pl/wiki/FcgiWrap
http://wiki.nginx.org/Fcgiwrap
http://community.linuxmint.com/software/view/vlogger
http://www.webalizer.org/
http://awstats.sourceforge.net/
http://www.howtoforge.com/perfect-server-debian-squeeze-debian-6.0-with-bind-dovecot-and-nginx-ispconfig-3

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)