Hi guys, Installed ispconfig following the perfect setup.... Things went right and than diddn't and now its scrued up. No worry i want to reinstall the system anyhow. But getting deeper into all the infos in the process of my experiments i wonder about couple of things and i hope someone could clear things up befor i endeavour the next reinstall: 1) i would like to install in the paranoid security state (chrooted) or at least hightest. Does that give problems with ispconifig, and exactly what does? 2) i would rather use the standard Mandriva imap services (updates later on), does that give problems with ispc? 3) i would rather use the standard shorewall firewall and disable the firewall in ispc, does that... 4) i would rather use the sasl2 authentification thane the depriciated saslauthd, does that give problems? Lots of questions but let mee say, it seems that ISPC is right on the spot! Looked long for a good opensource config panel and think i found it
I'm almost sure that this will cause problems... These settings are so paranoid that almost nothing is allowed on the system! So don't do it, rather do as suggested by the tutorial. In the tutorial I use the standard Mandriva imap package... Not if you configure it properly... This means that also port 81 must be accessible otherwise you can't access ISPConfig. saslauthd is for sasl2, there's no such package for sasl1, so I don't think it's deprecated. Anyway, use it, otherwise you'll have problems with authentication... The best way to follow the tutorial is to use an SSH client (like PuTTY on Windows) and copy and paste the commands from the tutorial.
Thanks Falco Thanks for your reply, The thing is i followed the tutorial but was a little concerned about security having had soem problems with that in the past. I already run 3 servers under mandrake but use the Higher setting, and than allow ssh by hand. Anything known if that causes trouble with ispc? Email When i install the standard imap i dont see anything aubout the "cyrus..." you state in the tutorial, ut maybe thats concealed buy the mardrake installer, so that what confused me. Mail authentification Ok, i followed some other thread on that. Since i am not an expert on this i guess ill follow your arumentation on that . Firewall Configuring the new ports in shorewall isnt really that big a problem (you have to to that for mysql anyhow, so thats answered for! So what im really left with is the sec settings.. paranoid won't do, but what about higher? i woulndt mind setting some services back on again but i'll guess, since i am not an expert on this the overall system would be more secure than the standard install?! And what about the chrooted daemons everybody is talking about (bind, proftp) could i set that up together with ispc?
I think the standard install is already very secure because ISPconfig has its own firewall that blocks requests on all ports that you don't use. I've never tried the "Higher" setting together with ISPConfig so it's up to you to find out if this works.
Ok Falko, I will do that and report back here, but still arent there exploits wich use just the opened ports? There are as far as i know many descriptions on how to secure lets say bind. So there has to be more on that issue?! Wouldn't you agree? Or for that matter would you consider a whole different distro, lets say the debian based Unbutu or fedora or suse?
If you ask me I'll always recommend Debian (see also http://www.howtoforge.com/forums/showthread.php?t=1393 ), but in the end it's a matter of which distribution you like most.
Got it working Hi Falko, So i got it working after all. The problrm with security settings under mandrake boils down to the "msec" checks. They alter the standard filesystem chmods and render ISPconfig not working. What wored for me was installing the system as described in the perfect setup guides and than switch on the security functions, all but msec checks. Maybe a seperate site should be set up to cover only the securing van linus under ispconfig... Now than, of course i still hav some questions for you. First of all the pop system. When connecting there is a strange lag between connecting and actual reading of the mail. Using thunderbird, or outlook express for that matter a connection is made right away but than everything stops for 15-20 secs before the password is asked and the mail begins to roll. Once mail is coming in everything goes fast and smooth. Trieed a telnet connection and there the popserver answered right away. so i am puzzled. second: from one of the sites specified (not all) the mail gets doubled to the Postfix account?? The settings for this mailaccount specifie a forward to [email protected] wich actually is a mailadress handled by the same system (as far as my knowledge reaches a forward to a mailrecipient on the same system should be done directly to the underlying pop account not to the email adress, but i am not shure if that is the problem.. So why or when would an email be send to the postfix account?? Hope iam not boring you too much and keep up the good work!! Thorsten
Can you see anything related to this in the mail log? Might also be a firewall problem or related to your security settings... Can you explain a little more in detail?
Respond 1 the forwarding probllem Falko, here info about the forwaarding system, ill do some more checks on the popserver delay: Forwarding: 2 domeins are registered within ispconfig on the same server x and y, both with each one user info@x and info@y (mail). When i open the user definition for domain x an there put in a mailforward to info@y (the mailuser from y) and i swich on the keep local copy option, the mail send to info@x ends up in his box (as expected) but also in the postfix box on the system. This is anoying since this box is not emptied automatically and therefore could be flooded. Another niew problem: The mailscanner sends an mail with the folowing return adress: Van: [email protected] [mailto:[email protected]] How can i get this into an real message? ie: [email protected] or [email protected] regards thorsten
Are info@x and info@y in /etc/postfix/virtusertable? What's in /etc/aliases? Don't do it! Have a look here: http://www.howtoforge.com/forums/showthread.php?t=821
Falko Yes both are listed in virtusertable: [email protected] account x and [email protected] account y I dont hav etc/aliases id do have an: etc/postfix/aliases with the following: # Default aliases file for postfix # # this file should be in /etc or in /etc/postfix but if you want it in # /etc/postfix you'll have to adjust your /etc/postfix/main.cf file accordingly # # Aliases in this file will NOT be expanded in the header from # mail, but WILL be visible over networks or from /bin/mail. # # Following alias is required by the mail protocol, RFC 822 (and by RFC2142) # Set it to the address of a HUMAN who deals with this system's mail problems. # # For various security reasons, postfix WILL NOT deliver mail as root, so # ensure that the root alias is aliased to a HUMAN user, as otherwise # mail may get delivered to the $default_privs user (nobody). postmaster: root # Many mailers use this address to represent the empty SMTP return # path MAILER-DAEMON: postmaster # Common aliases for system accounts. bin: root daemon: root games: root ingres: root nobody: root system: root toor: root foo: root falken: root # Well-known aliases. admin: root manager: root dumper: root operator: root # traps to catch security attacks decode: root moof: root moog: root # The following aliases are required by RFC 2142 info: staff marketing: staff sales: staff support: staff # Standard aliases also defined by RFC 2142 abuse: postmaster # reports of network infrastructure difficulties noc: root # address to report secuirty problems security: root # DNS administrator (DNS soa records should use this) hostmaster: root # Usenet news service administrator news: usenet usenet: root # http/web service administrator www: webmaster webmaster: root # UUCP service administrator uucp: root # FTP administrator (especially anonymouse FTP) ftp: root # Commonly used group aliases: # staff: postmaster office: postmaster all: postmaster tech: postmaster ops: postmaster # Person who should get root's mail. This alias # must exist. # CHANGE THIS LINE to an account of a HUMAN root: [email protected] Hope That helps? By teh way, the virtusertable is soley created by ispconfig..
Concerning the [email protected] Ok, I should not fiddle with that but what is than the point of mails going out to people asking them to mail to [email protected] for further questions? If the do, the mail wouldnt arrive anywhere?! thorsten
You can set another server administrator address under Management -> Server -> Settings. Can you post /etc/postfix/virtusertable (with the real usernames and email addresses - please mark the users you're talking about here) here? Can you also post the .procmailrc file of user x?
concerning mail adressing Hi Falko back again with a bit mor serious problem. Again mail for one user is routed to another, in this case there are 2 domains -homeport.nl and -homeportnoord.nl now mail for homeportnoord.nl is routed to the homeport mailbox, even though no forward rules are visible in ispconfig. Furtermore it seemde to have worekd once but doesnt anymore. I looked in the virtusertable for postfix and indeed there are entrys wich lead mail for homportnoord.nl to the user (web14...) of homport.nl instead to the user of homeportnoord.nl (web15_...), but why that is, no idea. borthe procmailrc are empty (only the first standard line is in place). here the concerning part of the virtuser table: Any idea?? Ther is some striking difference between homeport en homeportnoord though: homeport.nl under the codomain tab has an entry with empty hostname (as all other domains have) but homeportnoord does not, and when i wat to set is it results in an error that ".homeportnoord.nl" already existst. ????? by the way how do i trigger the makedb? i.e. make postfix virtuser db? Thorsten
Please check the Co-Domain tab of homeport.nl if homportnoord.nl (without hostname) is listed there. If so, remove it. On Postfix it's Code: postmap /etc/postfix/virtusertable But this is done by ISPConfig automatically.
No it isn't. just homeport.nl without hostname is listed. On homeportnoord nothing is listed en homeportnoord.nl without hostname is not accepted (domain already exists) OK HOLD THE PHONE!! Fixed it: What was the case: homeportnoord.nl existed in trash bin and was originally made under homeport.nl. But Now we have a bug, because the domain was deleted and than there shouldn't be anymore mailrules built on this shouldn't there? even though the thing still sits in the trash bin? Well i've emptied the trash bin, put the .homeportnoord.nl back in place under codomains of www.homeportnoord.nl and now everything is working fine. But i still think the above needs some thinking over! th
I've never seen something like this before... Anyway, we've changed something in the code that handles Co-Domains, and it will be available in the next release. I think it might help to avoid problems like this one.
Quotas and error logs Ok, Using the system for quite a while now and its of great value. But using ISP config of course raised further questions. Here is one of them: I have installed the quota system for users and that is working good. But what concernes me are the error logs: 1) the errorlog is part of the users (websites) quota which can be annoying, but 2) the error log does rotate! it just keeps growing. and i havent figured out how delete is. This leaves me with 2 things : when the error log keeps growing setting site quotas does not make much sense (in this cas that is, otherwise it can of course make sense since it warns the admin of problems at site level) and how do i get rid of an error log wich is actually above 1 GB? thorsten