Questions about Ispconfig and the autoinstaller

Discussion in 'Installation/Configuration' started by andreasli, Jan 19, 2022.

  1. andreasli

    andreasli Member

    Hi

    I have plans to setup ispconfig with the autoinstaller. When i have tested it has worked well, but i have a few questions i want to ask before setting up a production system with it. I use Debian for my servers.

    1. The auto installer automatically install clamav and it seems to be no option to disable it from the install. Is there any reason for that? For example i see no reason to install clamav on the dns servers.

    2. The mail setup uses 2 mailservers with a mailcluster. For Roundcube there are a option to have mx1 for ssl and mx2 for tls, but what if i use a mail client? How can the system know which mail server to use? I have used two mx server before mx10 and mx 20 then the system knows which mail server to use, but if i have understood it correctly, in this setup there should be only one mx.

    3. Is there any way to enable backups by default. For example when i create a new doamin or email account the backup system is turned of by default. Can i change that so the backups are turned on by default and saved 7 backups?

    4. Is there any way to setup a waf (web application firewall) with Ispconfig?
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    clamav is used to scan your server for malicious files. These could exist on DNS servers as well (though one suddenly existing is not likely). As far as I know, we don't have a option to skip it, but it doesn't hurt to be on your server anyway.

    What do you mean with "For Roundcube there are a option to have mx1 for ssl and mx2 for tls"? I suppose you mean IMAP and SMTP?

    The MX record defines which servers to use for incoming mail for a domain. You can set the same priority so both are "equally" used for incoming messages. For SMTP and IMAP you can either set up a highly available load balancer in front of it to distribute the traffic over the 2 servers, or just use one of them. For a simple/new hosting setup, I would recommend doing the following:
    Incoming email: Two priority 10 MX records pointing to mx1 and mx2
    Webmail (SMTP and IMAP): use mx2
    E-mailclients (Thunderbird, Outlook, etc): use mx1 (point smtp.example.com and imap.example.com to the ip of mx1)
    (Why use smtp.example.com and imap.example.com instead of mx1.example.com? This way, you can easily make changes later on, e.g. pointing smtp. and imap. to a load balancer)

    Yes, you can change the default value of the related column in the database.

    You can use modsecurity with Apache.
     
  3. andreasli

    andreasli Member

    Thank you for your answer @Th0m

    Yes you are right. What i referred to was the following in your tutorial:
    Now i think it is more clear for me how the setup works. I will make a reply on this thread if i face any problems.
     
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Alright, great. One more thing, in my previous reply I stated that you could/should use mx2 as SMTP server for the webmail. This is fine, but what might be better is using mx1, so you only have to worry about the IP reputation of one IP (and with smaller setups that don't have a lot of email traffic you want to send as much as you can with one IP).

    So you're going to be following https://www.howtoforge.com/tutorial/ispconfig-multiserver-setup-debian-ubuntu/, right?
     
  5. andreasli

    andreasli Member

    Thank you for the info. Yes that's correct, i should have mentioned that in my first post.

    The idea is to have a setup like the following:
    panel.example.com
    web.example.com
    ns1.example.com
    ns2.example.com
    mail.example.com
    mailsec.example.com
     
  6. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Alright, and no separate webmail server?
     
  7. andreasli

    andreasli Member

    No. I will run the webmail on the first mailserver as you suggested earlier.
     
    Th0m likes this.
  8. andreasli

    andreasli Member

    I have setup a test install using this guide: https://www.howtoforge.com/tutorial/ispconfig-multiserver-setup-debian-ubuntu/

    The only problem i have is that ssl certificates for alias-domain is not created for the secondary mail server. I have setup the secondary mail server as mirror of the first mailserver. When i go to Sites > Aliasdomain for websites i can create the alias domain. But if i check it with https://www.sslshopper.com/ssl-checker.html it shows that the aliasdomain i just created is not a part of the ssl certificate for the parent website.

    I also tried to temporarily disable the mirror, then it worked to create an alias domain on the secondary mail server. Should it work like this?
    In the letsencrypt log i couldn't find anything that helped me.
     
  9. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    See https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Btw. Why don't you use the builtin SSL functions from ISPConfig installer as ISPConfig creates the SSL certs on its own at install time since ISPConfig 3.2, no websites or alias domains are required anymore.
     
  11. andreasli

    andreasli Member

    Correct me if i am wrong, but i think the built in SSL functions only work for the hostname. I want to use the subdomain "mail" for all domains and not the hostname.
     
  12. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Exactly :)
     
  13. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    By the way, I would advice you to use "imap" and "smtp" for the hostnames.
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    So each domain shall use it's own mail domain? That's generally possible as long as you plan to set up a very small system. The max limit of the whole server system is 100 subdomains in this case. Just had a customer that insisted on doing this and then he ran into failures after 33 domains on his large cluster system as he added smtp, pop3 and imap subdomains for each hosted domain. Personally, I won't do that on my systems, just use a single domain name and communicate this to your customers, which even helps building your company as a brand.
     
    Th0m likes this.
  15. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    +1, you should only do this for your main domain.
     
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    And one additional note, you might lose the valid SSL cert if one of these subdomains fails, so if one of your customers decides to remove DNS for one of the domains and you don't realize it in time, then renewal for all customers will fail until you find and remove that failing subdomain.
     
    ahrasis likes this.
  17. andreasli

    andreasli Member

    Thank you for the info and suggestions.

    Right now i have less than 20 domains. But the domains will be more over time. Then I think it is safer to just use the hostname. Most of my customers are businesses. It is safer for me to not have a separate alias-domain for each domain.
     

Share This Page