Good day, I'm about to download the latest documentation of ISPConfig and I'd like to know if I'm dreaming or I could set up a small ISP multiserver environment with a cluster for Mail/DNS and Web/DB with a few dedicated servers. GOAL : I want it all secure and not spend all my days figuring out email issues from 'shared hosting' point of view (SSL only connections to send - never from local web servers). Architecture: Server 1 and 2 with bigger SATA drives : email, DNS (local MySQL needs). Server 3 and 4 with smaller SSD drives : Nginx, MySQL. Eventually adding 5 and 6 as other Web/MySQL server pairs and so on. Always using servers 1 and 2 for SSL mail access (and maybe server management). - Could I install Policyd on 1 and 2 for rate limiting ? - With this setup, can we configure MX 1 and MX 5 for example (I would say yes)? - Is replication only 1 way with emails (Dovecot 2) ? - Can I install a MySQL DB on the mail servers for ISPConfig/DNS/Dovecot needs and then some stand alone Web/MySQL servers (as pairs) ? - Is replication only 1 way with Unison for web (/var/www/) ? (people always write on 3 and replicates to 4 for example) - Could I install HAproxy on the web server pairs (I have a failover IP block) ? I'm not sure how ISPConfig deals load balancing ? If it's a nginx config it could also be good (upstream backend). - Does ISPConfig check/validate the MySQL, Web and email replications? Alert if issue? (or good old Nagios will be needed?) - Is ISPConfig compatible with Linux Malware Detect (LMD)? (i know it is with chkrootkit, Lynis (formerly rkhunter) and ISPProtect $ from a howtoforge post). Would you see an issue using malware signature databases like SaneSecurity, ScamNailer, ExtremeShock on the same server ? - Would CSF (ConfigServer Security & Firewall) be overkill with fail2ban? It would add IDS and more? I could use iptables alone to block all non necessary ports (including port 25 since the web servers will only communicate with the Master Mail server through SSL / blocking anything that's not absolutely necessary). I the best approach: 1- To install a multi environment and then add an 'ISPConfig/Mail/DNS/MySQL cluster' and a 'web clusters' ? 2- Or build a full '2 machine' cluster on SATA and add some 'Web cluster pairs' to it to manage them ? (I like #2 for my needs, specially if I can Scale the Web server pairs) Then: - check reputation of our IP address - setup SPF, DKIM,SPF, DKIM, DMARC, returnDNS/PTR - obviously - ALL outgoing mail must be authenticated / No open anonymous senders or open relay Any other measures you would consider useful to secure my ISPConfig nodes and avoid blacklisting ? Thanks ahead everyone, JP
