Install Ubuntu 18.04 with ISPConfig 3.1 and RspamD on Hetzner Cloud

  1. Open console.hetzner.cloud and add a server
  2. Setup reverse address for Hetzner Cloud IP
  3. Install Ubuntu Server with OpenSSH Server only and reboot
  4. Bring up and configure eth0
  5. Update packages and reboot
  6. Install unattended upgrades
  7. Install ISPConfig 3.1 according to Perfect Server setup
    Apache, PHP 7.2, FCGI, SuExec, Pear, mcrypt, PHP Opcode, PHP-FPM, MariaDB, PhpMyAdmin, Redis, PureFTPD, Quota, Bind, Postfix, Dovecot, Roundcube Webmail, rkhunter, AmavisD, SpamAssassin, ClamAV, Let’s Encrypt, Vlogger, Webalizer, AWStats, Jailkit, fail2ban, UFW
  8. Install Timeserver
  9. Upgrade ISPConfig to Rspamd
  10. Purge AmavisD and SpamAssassin
  11. Setup SPF, DKIM, DMARC
  12. Setup Firewall
  13. Install Logwatch, Munin, Monit, Netdata

Hetzner Cloud

Setup reverse address
Should be something like cloud.domain.xx

Install Ubuntu
Mount ubuntu-18.04.3-server-amd64.iso
Reboot and install Ubuntu Server with OpenSSH server.

Setup eth0
Bring up network interface ens3
Rename network interface to eth0
Remove netplan, install ifupdown, set eth0 to Dynamic IP (DHCP) and reboot

Check hostname
hostname -f
Must be the same as reverse address of Hetzner Cloud IP address

Update packages and reboot
apt update && apt -y upgrade
reboot

root
Allow sudo for admin user
Set password for root

ssh
Allow ssh without password
Change sshd port
Permit root login

prompt
Setup color prompt

Install unattended upgrades

ISPConfig

Install ISPConfig (Perfect server setup)

ISPConfig Server Config
ISPConfig → System → Server Config → Server

Check interfaces
cat /etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
        address <Hetzner Cloud IP address>
        netmask 255.255.255.255
        network <Hetzner Cloud IP address>
        broadcast <Hetzner Cloud IP address>
        gateway 172.31.1.1

DNS
Setup nameservers for Ubuntu 18.04
Use 127.0.0.1 as nameserver

LetsEncrypt
Install LetsEncrypt SSL certificates for ISPConfig server

PhpMyAdmin
Fix PhpMyAdmin count(): Parameter Bug

Check cronjobs
vi /etc/crontab
crontab -e
crontab -l

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# m  h dom mon dow command
  5  *  *   *   *   cd / && run-parts --report /etc/cron.hourly
  0  0  *   *   *   test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
  1  0  *   *   7   test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
  2  0  1   *   *   test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

9 0 * * * /usr/bin/updatedb

* * * * * /usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done
* * * * * /usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done

Timeserver
Install ntpd

Mailserver

Forward mails of root
vi /etc/aliases
root: root, [email protected]
newaliases

Check $myhostname
grep myhostname /etc/postfix/main.cf
Must be the same as reverse address of Hetzner Cloud IP address

SMTP banner
Setup SMTP Banner
echo QUIT | nc localhost 25

IMAP
Allow dots for IMAP folders for Dovecot Listescape plugin
Install Sieve service for Roundcubemail and Thunderbird

Upgrade ISPConfig to Rspamd
Replace AmavisD with RspamD

Remove AmavisD
apt purge amavisd-new

Remove Spamassassin
apt purge spamassassin

Add root to ISPConfig Spamfilter Whitelist
ISPConfig → Email → Spamfilter → Whitelist

User: @domain.xx
Email: [email protected]
Priority: 10 - highest
Active: ✓

Setup SPF
Add TXT record for domain

v=spf1 ip4:1.2.3.4 ip4:84.116.36.0/24 ip4:62.179.121.0/24 include:_spf.google.com -all
  • 1.2.3.4 … Hetzner IP address
  • ~all … softfail (deliver, but marked)
  • -all … hardfail (message not delivered)
  • ?all … neutral (does nothing)

Setup DMARC
Add TXT record for _dmarc.domain.xx

v=DMARC1; p=reject; rua=mailto:[email protected]

Setup DKIM
ISPConfig → Email → Domain → Mail Domain
1. Enable DKIM = checked
2. DKIM selector = mail
3. Generate DKIM Private-key

Add the generated TXT record for mail._domainkey.domain.xx to your nameserver and press Save.

DKIM public and private keys are in /var/lib/amavis/dkim

Test mailserver

Firewall

Setup UFW
ISPConfig → System → Firewall
Open TCP Ports 20,21,22,25,53,80,110,143,443,465,587,993,995,3306,8080,8081,10000
Open UDP Ports 53,123,3306

Check UFW Status
ufw status
Status: active

Monitoring

Install logwatch
apt install logwatch
Configure logwatch
vi /usr/share/logwatch/default.conf/logwatch.conf

LogDir = /var/log
TmpDir = /var/cache/logwatch

Output = mail
Format = html
Encode = base64

MailTo = [email protected]
MailFrom = [email protected]

Detail = High

Install monit
apt install monit
ISPConfig → System → Server Config → Server

ISPConfig → Monitor → Server State → Show Monit

Munin
Install Munin

Configure Munin

vi /etc/munin/munin-node.conf

# A list of addresses that are allowed to connect.  This must be a
# regular expression, since Net::Server does not understand CIDR-style
# network notation unless the perl module Net::CIDR is installed.  You
# may repeat the allow line as many times as you'd like

allow ^127\.0\.0\.1$
allow ^::1$
allow ^1\.2\.3\.4$      # Hetzner Cloud IP address
vi /etc/munin/munin.conf

[cloud.domain.xx]
    address 1.2.3.4     # Hetzner Cloud IP address
    use_node_name yes

restart munin
service munin-node restart

ISPConfig → System → Server Config → Server

ISPConfig → Monitor → Server State → Show Munin

Netdata
Install Netdata and opt-out

Install Nextcloud Hub (Nextcloud 18)