Install Ubuntu 18.04 with ISPConfig 3.1 and RspamD on Hetzner Cloud

  1. Open console.hetzner.cloud and add a server
  2. Install Ubuntu Server with OpenSSH Server only and reboot
  3. Bring up and configure eth0
  4. Update packages and reboot
  5. Install ISPConfig 3.1 according to Perfect Server setup
    Apache, PHP 7.2, FCGI, SuExec, Pear, mcrypt, PHP Opcode, PHP-FPM, MariaDB, PhpMyAdmin, Redis, PureFTPD, Quota, Bind, Postfix, Dovecot, Roundcube Webmail, rkhunter, AmavisD, SpamAssassin, ClamAV, Let’s Encrypt, Vlogger, Webalizer, AWStats, Jailkit, fail2ban, UFW
  6. Setup Dovecot/Postfix with SPF, DKIM, DMARC, ClamAV, Spamassassin autolearn and mailfilter rulesets, AmavisD, RspamD, RBLs
  7. Setup Firewall
  8. Install Logwatch, Munin, Monit, Netdata

Hetzner Cloud

Mount ubuntu-18.04.3-server-amd64.iso, reboot and install Ubuntu Server with OpenSSH server.

Bring up network interface

Check hostname
hostname -f
should be something like cloud.domain.xx

Update packages and reboot
apt update && apt -y upgrade
reboot

Allow sudo for admin user

Allow ssh without password

Setup color prompt

Rename network interface to eth0

Remove netplan, install ifupdown, set eth0 to Dynamic IP (DHCP) and reboot

ISPConfig

Install ejabberd XMPP daemon
apt install ejabberd

Install ISPConfig without Metronome XMPP Server

Configure ISPConfig Server Config
ISPConfig → System → Server Config → Server

Check interfaces
cat /etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
        address <Hetzner Cloud IP address>
        netmask 255.255.255.255
        network <Hetzner Cloud IP address>
        broadcast <Hetzner Cloud IP address>
        gateway 172.31.1.1

Setup nameservers for Ubuntu 18.04
use 127.0.0.1 as nameserver

Install LetsEncrypt SSL certificates for ISPConfig server

Fix PhpMyAdmin count(): Parameter Bug

Mailserver

Replace AmavisD with RspamD

Switch back to AmavisD
System → Server Config → Server → Mail → Content Filter = AmavisD

disable non_smtpd_milters

vi /etc/postfix.main.cf

# non_smtpd_milters = inet:localhost:11332

service postfix restart

Install missing packages for amavisd and configure it for ISPConfig 3.1

Update Spamassassin and install Heinlein-Support and Schaal-IT Spamassassin rulesets

Forward mails of root
vi /etc/aliases
root: root, [email protected]
newaliases

Install logwatch
apt install logwatch
Configure logwatch
vi /usr/share/logwatch/default.conf/logwatch.conf

LogDir = /var/log
TmpDir = /var/cache/logwatch

Output = mail
Format = html
Encode = base64

MailTo = [email protected]
MailFrom = [email protected]

Detail = High

Check $myhostname
grep myhostname /etc/postfix/main.cf

Setup SMTP Banner
echo QUIT | nc localhost 25

Check cronjobs
vi /etc/crontab
crontab -e
crontab -l

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# m  h dom mon dow command
  5  *  *   *   *   cd / && run-parts --report /etc/cron.hourly
  0  0  *   *   *   test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
  1  0  *   *   7   test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
  2  0  1   *   *   test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

9 0 * * * /usr/bin/updatedb

* * * * * /usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done
* * * * * /usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done

Allow dots for IMAP folders for Dovecot Listescape plugin

Install Sieve service for Roundcubemail and Thunderbird

Setup and install to Postfix: SPF, DMARC, DKIM

Install Spamassassin autolearn (automatic training of SpamAssassin)

Setup RBL
ISPConfig → Server Config → Server → Mail → Real-time Blackhole List

zen.spamhaus.org,cbl.abuseat.org,dul.dnsbl.sorbs.net,ix.dnsbl.manitu.net

Improve Postfix antispam settings

  • Reject sender hostnames with invalid syntax
  • Reject sender hostnames that are no FQDNs
  • Reject sender domains that have no DNS records

vi /etc/postfix/main.cf

smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, check_helo_access regexp:/etc/postfix/blacklist_helo, reject_invalid_hostname, reject_non_fqdn_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, reject_unauth_destination, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_pipelining
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/policy-spf, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client ix.dnsbl.manitu.net, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining

service postfix restart

Check Postfix filter settings
vi /etc/postfix/main.cf

# Amavis
receive_override_options = no_address_mappings
content_filter = amavis:[127.0.0.1]:10024

# RspamD
#non_smtpd_milters = inet:localhost:11332
#smtpd_milters = inet:localhost:11332
#milter_protocol = 6
#milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
#milter_default_action = accept

# SPF
smtpd_recipient_restrictions = ...,...,...,check_policy_service unix:private/policy-spf
policyd-spf_time_limit = 3600

# DMARC
opendmarc_milter = inet:localhost:8892

# DKIM
#smtpd_milters = inet:localhost:11025
#non_smtpd_milters = inet:localhost:11025

# DKIM + RspamD
smtpd_milters = inet:localhost:11025 inet:localhost:11332
non_smtpd_milters = inet:localhost:11025 inet:localhost:11332

Add server and domain to ISPConfig Spamfilter Whitelist
ISPConfig → Email → Spamfilter → Whitelist

User: @domain.xx
Email: @cloud.domain.xx
Priority: 10 - highest
Active: ✓

Firewall

Setup UFW
ISPConfig → System → Firewall
Open TCP Ports 20,21,22,25,53,80,110,143,443,465,587,993,995,3306,8080,8081,10000
Open UDP Ports 53,123,3306

Check UFW Status
ufw status
Status: active

Monitoring

Install monit
apt install monit
ISPConfig → System → Server Config → Server

ISPConfig → Monitor → Server State → Show Monit

Install Munin

Configure Munin

vi /etc/munin/munin-node.conf

# A list of addresses that are allowed to connect.  This must be a
# regular expression, since Net::Server does not understand CIDR-style
# network notation unless the perl module Net::CIDR is installed.  You
# may repeat the allow line as many times as you'd like

allow ^127\.0\.0\.1$
allow ^::1$
allow ^1\.2\.3\.4$      # Hetzner Cloud IP address
vi /etc/munin/munin.conf

[cloud.domain.xx]
    address 1.2.3.4     # Hetzner Cloud IP address
    use_node_name yes

restart munin
service munin-node restart

ISPConfig → System → Server Config → Server

ISPConfig → Monitor → Server State → Show Munin

Install Netdata and opt-out

Install Nextcloud Hub (Nextcloud 18)