ISPconfig 3 Ubuntu postfix+dovecot+roundcube

Discussion in 'Installation/Configuration' started by zapyahoo, Dec 28, 2012.

  1. zapyahoo

    zapyahoo Member

    SOLVED ISPconfig 3 Ubuntu postfix+dovecot+roundcube

    I decided to try a multiserver setup.
    The mail control panel server also as function of mail server.

    Followed 2 tutorials:

    Also, I have 2 STARTSSL certificates:
    1 for the control panel port 8080
    1 for the webmail
    (the last one was tricky since I'm not using a wildcard SSL, but successfully manage to change the roundcube.conf to respond using the correct mail SSL certificate and to respond to the domain instead of domain/webmail.
    For this is used the how-to
    the only difference from the above tutorial was postfix and dovecot, I changed them to reflect the mail SSL and not the ispconfig3 cp.mydomain SSL.

    So far so good, everything responded fine.
    The issue:
    I already created email accounts in ISPconfig3. When trying to login in roundcube I'm getting login failed.
    Checking the /var/log/mail.err:
     mail dovecot: lda(root): Error: user root: Initialization failed: Initializing mail storage from mail_location setting failed: stat(/root/Maildir) failed: Permission denied (euid=65534(nobody) egid=65534(nogroup) missing +x perm: /root, dir owned by 0:0 mode=0700)
    checking mail.log:
    3 warning lines with the 3 dovecot SSL entries, althought it's a warning it creates a lot of logging :(
     mail dovecot: config: Warning: Obsolete setting in /etc/dovecot/dovecot.conf:92: ssl_cert_file has been replaced by ssl_cert = <file
     mail dovecot: imap-login: Aborted login (auth failed, 1 attempts): user=<[email protected]>, method=PLAIN, rip=, lip=, TLS
    Help would be appreciated.
    Last edited: Dec 29, 2012
  2. zapyahoo

    zapyahoo Member

    getting a few more errors in /var/mail.err

    mail dovecot: lda(root): Error: chdir(/root/) failed: Permission denied (euid=65534(nobody) egid=65534(nogroup) missing +x perm: /root, dir owned by 0:0 mode=0700)
    Dec 28 06:33:52 mail dovecot: lda(root): Error: chdir(/root) failed: Permission denied
    Dec 28 06:33:52 mail dovecot: lda(root): Error: user root: Initialization failed: Initializing mail storage from mail_location setting failed: stat(/root/Maildir) failed: Permission denied (euid=6$
    Dec 28 06:33:52 mail dovecot: lda(root): Fatal: Invalid user settings. Refer to server log for more information.
  3. zapyahoo

    zapyahoo Member


    Thanks for the help... :) great community
  4. falko

    falko Super Moderator ISPConfig Developer

    What exactly did you do to solve this?
  5. zapyahoo

    zapyahoo Member

    Hello Falko,

    For some reason my postfix installation had no SSL cert. Reading the how-to there's no mention to it. So I had to do a bunch of things, from the top of my head, bellow are some important steps.

    Made sure that postfix, dovecot and roundcube were using the same SSL "mail" and not the ISPConfig "cp" SSL.
    Although the "mail" SSL location files are different (just copies). That's something I'm going to implement next, because it will be easier to replace when they expire, postfix, dovecot and apache2 will pull the SSL "mail" from the same location.

    So, to start I added my STARTSSL to postifix
    cd /etc/postfix
    ln -s /etc/ssl/roundcube/ssl.crt smtpd.cert
    ln -s /etc/ssl/roundcube/ssl.key smtpd.key
    smtp_use_tls = yes
    smtpd_tls_received_header = yes
    smtpd_tls_mandatory_protocols = SSLv3, TLSv1
    smtpd_tls_mandatory_ciphers = medium
    smtpd_tls_auth_only = yes
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_tls_CAfile = /etc/ssl/roundcube/

    Also in the apache2 vhost roundcube.conf
    SSLEngine on
    SSLProtocol all -SSLv2

    SSLCertificateFile /etc/ssl/roundcube/ssl.crt
    SSLCertificateKeyFile /etc/ssl/roundcube/ssl.key
    SSLCertificateChainFile /etc/ssl/roundcube/
    SSLCACertificateFile /etc/ssl/roundcube/ca.pem

    and to finish it, dovecot.conf
    ssl_cert = </etc/postfix/smtpd.cert
    ssl_key = </etc/postfix/smtpd.key

    Restarted all services and did an ipsconfig php -q update.php to integrate all this.

    I also "frankansteined" my 2 DNS servers to be integrated with ISPConfig. I always read that we should start with a clean ISPConfig installation :) ... no, that's 2 easy :)
    The reason was that my NS1 also had cacti and nagios3 running, and I wanted to keep all the hosts configuration and databases for them.

    went smooth... Right now I already have them beautifully integrated as master and slave NS's in ISPconfig keeping my cacti and nagios.

    Also added DNSSEC to both servers, you guys have no dnssec integration ÔÔ
    Today or tomorrow will integrate the webserver + database server to the ISPConfig setup.
    Could have done this already, I already have "the" webserver running and it's my crown jewel. Apache2 and mysql are tweaked to perfection with 100ms response times, 2/3 seconds total page load times for heavy Joomla / Jomsocial websites... over WAN. This one will not be a clean ISPConfig install :)
    Later this week will start testing openvz server integrated into ISPConfig3, very familiar with VM's like sphere and virtualbox but never used openvz before. The only thing I like about openvz is the fact that it is "open", and that's about it... the project seems stalled or dead and it's officially the slowest virtual machines in the world. Google says so.

    If I'm not happy with it, as a future project might pull a stunt and develop a module to integrate virtualbox into ISPConfig. Virtualbox is free and as good support and runs on all sorts of hosts, each vmachine as an individual identifier, good control over cores/ram/eth, etc. and it's fast.

    Some people are happy if it runs, I'm only happy went it's fast and the error log shows 0 entries...
  6. zapyahoo

    zapyahoo Member

    webserver and database

    Today was the big day to "Frankenstein" my beautiful webserver and integrate another server into ispconfig. This server as double function of webserver and database server.

    Well, it went fine, just took me a hour to figure out how ispconfig stores things like the vhosts and the www root directories.
    Needed to do some apache2.conf changes, my conf file was more restricted and each host had a directory line with root location and include sites-enabled. My mysql conf was kept pretty much the same with my tweaked settings, with exception for commenting out "only respond on the interface".

    Yeah, did not understand at first in ispconfig add website what settings to use for php... but a quick look in this excellent forum gave me the answer for Joomla websites, SUexe and phpfcgi. Not mod-php.

    Webserver Databases went without issues with phpmyadmin, did have to change the control panel ispconfig to when pressing the database button to open the webserver phpmyadmin and not the control panel phpmyadmin that I previously looked with .htaccess to my lan. The webserver phpmyadmin responds over WAN.

    Testing the websites performance with apache2 benchmark and webpagetest, gave me a few nano seconds more, not happy but those nano's will save hours of website work. So, it's an OK compromise. msqltunner benchmark reported no changes in mysql... as expected since my.cnf is the same.

    Tomorrow will test FTP and add 1 godady SSL and 2 STARTSSL certificates to 3 of the websites, responding on the same WAN IP but using different ports (got to love the facebook applications, must have ssl). More fun.

    p.s. after deletion, ISPConfig seems to leave some settings behind in the database. Haven't investigate this yet, but user groups from deleted users still show up and after deleting a website ispconfig did not regenerate the website folder:
    /web11/ deleted website
    /web12/ it should be 11, so there's a gap between 10 and 12.
  7. hellkat

    hellkat New Member

    Could you please also post the changes you made to add dnssec support?
  8. zapyahoo

    zapyahoo Member

    Plenty of tutorials for bind9 and dnssec.
    Maybe you should ask ispconfig3 developers what files / master templates need to be hacked in order to maintain intact your dnssec txt records.

Share This Page