Hi I have plans to setup ispconfig with the autoinstaller. When i have tested it has worked well, but i have a few questions i want to ask before setting up a production system with it. I use Debian for my servers. 1. The auto installer automatically install clamav and it seems to be no option to disable it from the install. Is there any reason for that? For example i see no reason to install clamav on the dns servers. 2. The mail setup uses 2 mailservers with a mailcluster. For Roundcube there are a option to have mx1 for ssl and mx2 for tls, but what if i use a mail client? How can the system know which mail server to use? I have used two mx server before mx10 and mx 20 then the system knows which mail server to use, but if i have understood it correctly, in this setup there should be only one mx. 3. Is there any way to enable backups by default. For example when i create a new doamin or email account the backup system is turned of by default. Can i change that so the backups are turned on by default and saved 7 backups? 4. Is there any way to setup a waf (web application firewall) with Ispconfig?
clamav is used to scan your server for malicious files. These could exist on DNS servers as well (though one suddenly existing is not likely). As far as I know, we don't have a option to skip it, but it doesn't hurt to be on your server anyway. What do you mean with "For Roundcube there are a option to have mx1 for ssl and mx2 for tls"? I suppose you mean IMAP and SMTP? The MX record defines which servers to use for incoming mail for a domain. You can set the same priority so both are "equally" used for incoming messages. For SMTP and IMAP you can either set up a highly available load balancer in front of it to distribute the traffic over the 2 servers, or just use one of them. For a simple/new hosting setup, I would recommend doing the following: Incoming email: Two priority 10 MX records pointing to mx1 and mx2 Webmail (SMTP and IMAP): use mx2 E-mailclients (Thunderbird, Outlook, etc): use mx1 (point smtp.example.com and imap.example.com to the ip of mx1) (Why use smtp.example.com and imap.example.com instead of mx1.example.com? This way, you can easily make changes later on, e.g. pointing smtp. and imap. to a load balancer) Yes, you can change the default value of the related column in the database. You can use modsecurity with Apache.
Thank you for your answer @Th0m Yes you are right. What i referred to was the following in your tutorial: Now i think it is more clear for me how the setup works. I will make a reply on this thread if i face any problems.
Alright, great. One more thing, in my previous reply I stated that you could/should use mx2 as SMTP server for the webmail. This is fine, but what might be better is using mx1, so you only have to worry about the IP reputation of one IP (and with smaller setups that don't have a lot of email traffic you want to send as much as you can with one IP). So you're going to be following https://www.howtoforge.com/tutorial/ispconfig-multiserver-setup-debian-ubuntu/, right?
Thank you for the info. Yes that's correct, i should have mentioned that in my first post. The idea is to have a setup like the following: panel.example.com web.example.com ns1.example.com ns2.example.com mail.example.com mailsec.example.com
I have setup a test install using this guide: https://www.howtoforge.com/tutorial/ispconfig-multiserver-setup-debian-ubuntu/ The only problem i have is that ssl certificates for alias-domain is not created for the secondary mail server. I have setup the secondary mail server as mirror of the first mailserver. When i go to Sites > Aliasdomain for websites i can create the alias domain. But if i check it with https://www.sslshopper.com/ssl-checker.html it shows that the aliasdomain i just created is not a part of the ssl certificate for the parent website. I also tried to temporarily disable the mirror, then it worked to create an alias domain on the secondary mail server. Should it work like this? In the letsencrypt log i couldn't find anything that helped me.
Btw. Why don't you use the builtin SSL functions from ISPConfig installer as ISPConfig creates the SSL certs on its own at install time since ISPConfig 3.2, no websites or alias domains are required anymore.
Correct me if i am wrong, but i think the built in SSL functions only work for the hostname. I want to use the subdomain "mail" for all domains and not the hostname.
So each domain shall use it's own mail domain? That's generally possible as long as you plan to set up a very small system. The max limit of the whole server system is 100 subdomains in this case. Just had a customer that insisted on doing this and then he ran into failures after 33 domains on his large cluster system as he added smtp, pop3 and imap subdomains for each hosted domain. Personally, I won't do that on my systems, just use a single domain name and communicate this to your customers, which even helps building your company as a brand.
And one additional note, you might lose the valid SSL cert if one of these subdomains fails, so if one of your customers decides to remove DNS for one of the domains and you don't realize it in time, then renewal for all customers will fail until you find and remove that failing subdomain.
Thank you for the info and suggestions. Right now i have less than 20 domains. But the domains will be more over time. Then I think it is safer to just use the hostname. Most of my customers are businesses. It is safer for me to not have a separate alias-domain for each domain.