Install Ubuntu 18.04 with ISPConfig 3.1 and Rspamd on Hetzner Cloud

1. Open console.hetzner.cloud and add a server
2. Setup reverse address for Hetzner Cloud IP
3. Install Ubuntu Server with OpenSSH Server only and reboot
4. Bring up and configure eth0
5. Update packages and reboot
6. Install unattended upgrades
7. Install ISPConfig 3.1 according to HowtoForge Perfect Server setup
   Apache, PHP 7.2, FCGI, SuExec, Pear, mcrypt, PHP Opcode, PHP-FPM, MariaDB, PhpMyAdmin, Redis, PureFTPD, Quota, Bind, Postfix, Dovecot, Roundcube Webmail, rkhunter, AmavisD, SpamAssassin, ClamAV, Let’s Encrypt, Vlogger, Webalizer, AWStats, Jailkit, fail2ban, UFW
8. Install Timeserver
9. Install Rspamd
10. Stop SpamAssassin and install missing Perl modules
11. Setup SPF, DKIM, DMARC
12. Setup Firewall
13. Install Logwatch, Munin, Monit, Netdata
14. Install GeoLite2-City.mmdb
15. Configure GoAccess
16. Enable Roundcube Plugins

Hetzner Cloud

Setup reverse address
Should be something like cloud.domain.xx

Install Ubuntu
Mount ubuntu-18.04.3-server-amd64.iso
Reboot and install Ubuntu Server with OpenSSH server.

Setup eth0
Bring up network interface ens3
Rename network interface to eth0
Remove netplan, install ifupdown, set eth0 to Dynamic IP (DHCP) and reboot

Check hostname
hostname -f
Must be the same as reverse address of Hetzner Cloud IP address

Update packages and reboot
apt update && apt -y upgrade
reboot

root
Allow sudo for admin user
Set password for root

ssh
Allow ssh without password
Change sshd port
Permit root login

prompt
Setup color prompt

Install unattended upgrades

ISPConfig

Install ISPConfig (Perfect server setup)

ISPConfig Server Config
ISPConfig → System → Server Config → Server

Check interfaces
cat /etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
        address <Hetzner Cloud IP address>
        netmask 255.255.255.255
        network <Hetzner Cloud IP address>
        broadcast <Hetzner Cloud IP address>
        gateway 172.31.1.1

DNS
Setup nameservers for Ubuntu 18.04
Use 127.0.0.1 as nameserver

LetsEncrypt
Install LetsEncrypt SSL certificates for ISPConfig server

PhpMyAdmin
Fix PhpMyAdmin count(): Parameter Bug

Check cronjobs
vi /etc/crontab
crontab -e
crontab -l

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# m  h dom mon dow command
  5  *  *   *   *   cd / && run-parts --report /etc/cron.hourly
  0  0  *   *   *   test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
  1  0  *   *   7   test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
  2  0  1   *   *   test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

9 0 * * * /usr/bin/updatedb

* * * * * /usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done
* * * * * /usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done

Timeserver
Install ntpd

Mailserver

Forward mails of root
vi /etc/aliases
root: root, [email protected]
newaliases

Check $myhostname
grep myhostname /etc/postfix/main.cf
Must be the same as reverse address of Hetzner Cloud IP address

SMTP banner
Setup SMTP Banner
echo QUIT | nc localhost 25

IMAP
Allow dots for IMAP folders for Dovecot Listescape plugin
Install Sieve service for Roundcubemail and Thunderbird

Rspamd
Replace AmavisD with Rspamd
Enable Extended Spam Headers
Setup Rspamd Autolearn Spam/Ham
Allow white/blacklists with multimap

getmail
Rewrite “Return-Path” to “Sender Email”

Stop Spamassassin
You may install missing Perl modules before stopping it because Amavis is using the Spamassasin binaries directly.

service spamassassin stop
update-rc.d -f spamassassin remove

Add root to ISPConfig Spamfilter Whitelist
ISPConfig → Email → Spamfilter → Whitelist

User: @domain.xx
Email: [email protected]
Priority: 10 - highest
Active: ✓

Setup SPF
Add TXT record for domain

v=spf1 ip4:1.2.3.4 ip4:84.116.36.0/24 ip4:62.179.121.0/24 include:_spf.google.com -all

• 1.2.3.4 … Hetzner IP address
• ~all … softfail (deliver, but marked)
• -all … hardfail (message not delivered)
• ?all … neutral (does nothing)

Setup DMARC
Add TXT record for _dmarc.domain.xx

v=DMARC1; p=reject; rua=mailto:[email protected]

Setup DKIM
ISPConfig → Email → Domain → Mail Domain
1. Enable DKIM = checked
2. DKIM selector = mail
3. Generate DKIM Private-key

Add the generated TXT record for mail._domainkey.domain.xx to your nameserver and press Save.

DKIM public and private keys are in /var/lib/amavis/dkim

Test mailserver

• mxtoolbox.com
• dmarcian.com
• dkimvalidator.com
• mail-tester.com

Firewall

Setup UFW
ISPConfig → System → Firewall
Open TCP Ports 20,21,22,25,53,80,110,143,443,465,587,993,995,3306,8080,8081,10000
Open UDP Ports 53,123,3306

Check UFW Status
ufw status
Status: active

Monitoring

Install logwatch

Install monit
apt install monit
ISPConfig → System → Server Config → Server

ISPConfig → Monitor → Server State → Show Monit

Munin
Install Munin

Configure Munin

vi /etc/munin/munin-node.conf

# A list of addresses that are allowed to connect.  This must be a
# regular expression, since Net::Server does not understand CIDR-style
# network notation unless the perl module Net::CIDR is installed.  You
# may repeat the allow line as many times as you'd like

allow ^127\.0\.0\.1$
allow ^::1$
allow ^1\.2\.3\.4$      # Hetzner Cloud IP address

vi /etc/munin/munin.conf

[cloud.domain.xx]
    address 1.2.3.4     # Hetzner Cloud IP address
    use_node_name yes

restart munin
service munin-node restart

ISPConfig → System → Server Config → Server

ISPConfig → Monitor → Server State → Show Munin

Netdata
Install Netdata and opt-out

GeoIP

Download Free GeoLite2 Country database and copy GeoLite2-City.mmdb to /usr/share/GeoIP

GoAccess
Enable GEO LOCATION for GoAccess

Add for each vHost after creating them in ISPConfig

vi /var/log/ispconfig/httpd/domain.xx/goaccess.conf

######################################
# GeoIP Options
# Only if configured with --enable-geoip
######################################

# Standard GeoIP database for less memory usage.
#
std-geoip false

# Specify path to GeoIP database file. i.e., GeoLiteCity.dat
# .dat file needs to be downloaded from maxmind.com.
#
# For GeoIP2 City database:
geoip-database /usr/local/share/GeoIP/GeoLite2-City.mmdb

Install Nextcloud Hub (Nextcloud 18)

Enable Roundcube Plugins

// List of active plugins (in plugins/ directory)
// Debian: install roundcube-plugins first to have any
//
// Plugins für ISPConfig
// "jqueryui", "ispconfig3_account", "ispconfig3_autoreply", "ispconfig3_spam", "ispconfig3_fetchmail", "ispconfig3_filter", "ispconfig3_forward", "ispconfig3_wblist"

$config['plugins'] = array("carddav", "markasjunk", "userinfo", "vcard_attachments", "zipdownload", "jqueryui", "ispconfig3_account", "ispconfig3_autoreply", "ispconfig3_spam", "ispconfig3_fetchmail", "ispconfig3_filter", "ispconfig3_forward", "ispconfig3_wblist"
);