After the installation of an OS, for example Debian, following one of the excellent "perfect servers" how-tos and then installing ISPConfig3, there are a few more things I consider to be essential: - install Mod_Security. This can be skipped if you use only software that is guaranteed to be secure. Mod_security needs some work for fine-tuning, but if you run a hosting environment for clients or if you use opensource software, Mod_Security might save you more than just a couple bucks... - install the PEAR mail package Most if not almost all software packages involving mailing to users make use of the PHP mail()/sendmail function. The problem with this is that regardless of all your efforts using SPF and setting PTRs, your mail will be stopped by spamfilters of all major email providers because it was not sent using SMTP auth. PEAR provides a simple way for sending mail using SMTP auth, so you increase your website's reach.
I add another essential tweak: enable port 465 to enable mail sending even when ISPs block port 25: http://www.faqforge.com/linux/how-to-enable-port-465-smtps-in-postfix-mailserver/ just use reload instead of restart
my experience is that the email ports are configured in many different ways depending on the provider. For example, at google: 587 is the Outgoing server (SMTP) port for IMAP. It uses a TLS encryption connection. 465 is the Outgoing server (SMTP) port for pop. It uses an SSL encryption connection.
another (potentially) essential config tweak: if you are running high-traffic sites, and especially if they sit on a cloud Vserver that usually have limited storage and limited I/O bandwidth, you want to disable the Apache Access log: http://www.howtoforge.com/forums/showthread.php?t=52180 just use google analytics or another stats provider for stats. they are better anyway - and won't clog your server with 30+ Gigs of logs, hello backup storage!
smtp and imap are not related. smtp is to send email between servers. imap is a way to access stored email on a server by some client. And port 587 is still the email submission port
yeah, go tell all the mail service about that, they will continue to do what they want anyway ;-) I will add another essential tweak to this list: to avoid some funny issues with character encoding in MySQL, configure UTF-8 as default character set for MySQL. in my.cnf :
one more tweak to outbound emails: use DKIM (domainkeys) to increase even more your emails' reach, in addition to sending through SMTP and using SPF records. The following how-to is for debian: http://syslog.tv/2010/01/11/dkim-on-debian-with-postfix/ or this howto (untested): http://www.debiantutorials.com/setup-domainkeys-identified-mail-dkim-in-postfix/
more of a trick than an essential add-on: To be able to display (and switch between) sites that have been setup on the server to display as default when browsing to the server's IP or FQH is useful for example when developing a site when the DNS has not been set to point there, or to host stuff without using a domain name To achieve this, do: in /etc/apache2/sites-enabled rename 000-default (or similar) to something like _000-default then *copy* the file with the domain you want to appear as default into 000-default (same file name as was renamed above) restart apache. to switch to another default site, just copy another domain file to 000-default to switch back to default behavior, copy back _000-default to 000-default (and restart apache after every change) I wish this could be done easily through ISPConfig
For me a essential add-on is cluebringer for postfix. It provides access control, spf check, greylist, helo/ehlo checks and quota support. It's written in perl and support mysql/sqlite/postgresql. All with a web interface, just awesome!
Just an addendum - I just discovered the logs are written twice! under /etc/apache2/conf.d is the file other-vhost-access-log that writes a "vhosts combined" log. don't forget to deactivate that one as well.
another observation: if you install a vserver: these usually don't allow access to IPTABLES, since they are built into the kernel that is common to all vservers on the host. So your fail2ban is going to be ineffective in the default config. solution: use hosts.deny instead. to do this: in jail.conf change banaction = iptables-multiport into banaction = hostsdeny save and restart fail2ban
I realized later that hosts.deny is not a good solution. see here why: http://www.howtoforge.com/forums/showthread.php?p=293131
