Securing your ISPConfig 3 managed mailserver with a valid Let’s Encrypt SSL certificate (certbot)

You can normally just name your server something nice in the beginning of the install but i recommend to proceed this route as works better once you start scaling your servers and add multiple email servers.

Under Sites, click “Add new website”. Set as domain. Disable Auto-Subdomain, and check the Let’s Encrypt checkbox.

After this you can add your other hostnames as alias domains, by going to the aliasdomain list and clicking

“Add new aliasdomain”. Select as domain, and as parent website.

With this will be able to have clients login into gmail smtp using this domain or if they want to pay extra you can create one specific for their company domain like

Disable Auto-Subdomain and save the new record
Verify that the certificate is in place. You can do this with a tool like

Replacing the certificate with the Let’s Encrypt certificate

All your doing here is using the ssl you created in ispconfig to now be used by postfix – you can also buy an ssl and paste the values in the ispconfig. ( From testing my email servers on multiple sites the ssl dont matter just as long as the handshake etc… matches so the free one works fine no need to spend money)

cd /etc/postfix/
mv smtpd.cert smtpd.cert-$(date +"%y%m%d%H%M%S").bak
mv smtpd.key smtpd.key-$(date +"%y%m%d%H%M%S").bak
ln -s /etc/letsencrypt/live/ smtpd.cert
ln -s /etc/letsencrypt/live/ smtpd.key
systemctl restart postfix
systemctl restart dovecot

Set up a automatic renewal script

nano /etc/init.d/

Paste this in that file (replace with the hostname you used):
# Required-Start: $local_fs $network
# Required-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Description: Restart mail server automatically when a new Let's Encrypt certificate is issued.
systemctl restart postfix
systemctl restart dovecot
apt install incron
chmod +x /etc/init.d/
echo "root" >> /etc/incron.allow

incrontab -e

Add this (again, replace with the hostname you used) to the file:

/etc/letsencrypt/archive/ IN_MODIFY /etc/init.d/
Read More!

Apache Reverse Proxy for Docker Website or App in Ispconfig

Create a domain in ispconfig how your normally would with ssl

make sure you have proxy http enabled

sudo a2enmod proxy_http
ProxyPass /.well-known !
ProxyPass “/” “http://DockerIp:DockerPort/”
ProxyPassReverse “/” “http://DockerIp:DockerPort/”
RedirectMatch ^/$
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/

Replace http://DokcerIp:DockerPort/ with your info with your domain or sub domain name

Read More!

Install Composer in Debian 10 Buster to Use with Ispconfig and Jailkit

You must have ispconfig installed and jailkit.

Install Composer – hash updated May 2, 2021

cd ~
php -r "copy('', 'composer-setup.php');"
php -r "if (hash_file('sha384', 'composer-setup.php') === '756890a4488ce9024fc62c56153228907f1545c228516cbf63f885e036d37e9a59d27d63f46af1d4d07ee0f76181c7d3') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"

php composer-setup.php --install-dir=/usr/local/bin --filename=composer

php -r "unlink('composer-setup.php');"

Add code to jailkit to use as shell user

Add to /etc/jailkit/jk_init.ini

comment = the php interpreter and libraries
executables = /usr/bin/php, /usr/bin/php7.3
directories = /usr/lib/php, /usr/share/php, /usr/share/php, /usr/share/php-geshi, /etc/php,/usr/share/zoneinfo, /etc/snmp, /usr/share/snmp
includesections = env

comment = environment variables
executables = /usr/bin/env

comment = Dependency Manager for PHP
executables = /usr/local/bin/composer
#directories = /usr/share/composer
includesections = php, uidbasics, netbasics

Once that is completed

Go to System – Server Config – Select Server you want jailkit on

add php and composer to Jailkit chroot app sections:

Read More!

Install Virtual Machine Manager(libvirt) in Manjaro

STEP 1: Launch Terminal and enter the following command to install KVM and necessary dependencies.

sudo pacman -S virt-manager qemu vde2 ebtables dnsmasq bridge-utils openbsd-netcat
STEP 2: The next two steps are very important and often ignored by many users. Make sure to complete it else, you will get error “adduser: The group `libvirtd’ does not exist” when you run the Virtual Machine Manager after installation is complete!

Enable the service by entering the below command:

sudo systemctl enable libvirtd.service
STEP 3: Start the service using below command:

sudo systemctl start libvirtd.service

sudo groupadd --system libvirt
sudo usermod -a -G libvirt $(whoami)
newgrp libvirt
//Verify that user is added to libvirt group.
id $(whoami)

Open the file /etc/libvirt/libvirtd.conf for editing.

sudo vim /etc/libvirt/libvirtd.conf
Set the UNIX domain socket group ownership to libvirt, (around line 100)
unix_sock_group = "libvirt"
Set the UNIX socket permissions for the R/W socket (around line 102)

unix_sock_rw_perms = "0770"
Restart libvirt daemon after making the change.

sudo systemctl restart libvirtd.service
Read More!

Need Help With Code?