Perfect (home) server on Raspberry Pi 4 (4/4)

Installing Apache2, BIND DNS, Dovecot mail, PureFTPD and ISPConfig 3.2

This is where the magic will happen, but credits go to Till Brehm. This manual is a cheap rip-of from his page The Perfect Server - Debian 10 (Buster) with Apache, BIND, Dovecot, PureFTPD and ISPConfig 3.2. But because we want to install this on Raspberry Pi and use at as a 'home' server there are some changes made to let it work.
Ready? Let's Go!
Configure hostname
The hostname should be a subdomain like "aalpi01.example.com".

Do not use a domainname without subdomain part like "example.com" as hostname as this will cause problems later with your mail setup.

Edit /etc/hosts and add the line: aalpi01.example.com aalpi01.

Reboot the Raspberry and check with hostname and hostname -f if the hostname is correct.
					sudo nano /etc/hosts
   aalpi01.example.com  aalpi01       localhost
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters       aalpi01
					sudo reboot
					pi@aalpi01:~ $ hostname
pi@aalpi01:~ $ hostname -f
Change the default shell
/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash.

Choose No when asked which shell to use.
					sudo dpkg-reconfigure dash
					┌──────────────────────────┤ Configuring dash├─────────────────────────────────┐
│                                                                              │ 
│ The system shell is the default command interpreter for shell scripts.       │ 
│                                                                              │
│ Using dash as the system shell will improve the system's overall performance │
│ It does not alter the shell presented to interactive users.                  │ 
│                                                                              │                                                               
│ Use dash as the default system shell (/bin/sh)?                              │ 
│                                                                              │ 
│                 <Yes>                     <No>                               │ 
│                                                                              │ 
  Choose No!                                                                                                                                          

Synchronize the System Clock
					sudo apt-get -y install ntp
Install Postfix, Dovecot, MariaDB, rkhunter, and Binutils
Postfix is a mailserver, Dovecot an IMAP server and MariaDB is a Database server.
Rkhunter is a Unix-based tool that scans for rootkits, backdoors and possible local exploits.
The binutils give the system the facility to compile and link programs.
These can all be installed with a single command.

When asked choose:
General type of mail configuration: Internet Site
System mail name: aalpi01.example.com
					sudo apt-get -y install postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd sudo curl
Secure MySQL database
We're no going to secure the MariaDB installation and remove the test database.
					sudo mysql_secure_installation
Enter current password for root [enter for none]: <- enter
Set root password? [Y/n] <- Y
New password: <- Enter a new MariaDB root password
Re-enter new password: <-- Repeat the MariaDB root password
Remove anonymous users? [Y/n] <- Y
Disallow root login remotely? [Y/n] <- Y
Remove test database and access to it? [Y/n] <- Y
Reload privilege tables now? [Y/n] <-- Y
					echo "update mysql.user set plugin = 'mysql_native_password' where user='root';" | sudo mysql -u root
Edit the file /etc/mysql/debian.cnf and set the MariaDB root password there twice in the rows that start with the word password.
					sudo nano /etc/mysql/debian.cnf
					# Automatically generated for Debian scripts. DO NOT TOUCH!
host     = localhost
user     = root
socket   = /var/run/mysqld/mysqld.sock
host     = localhost
user     = root
socket   = /var/run/mysqld/mysqld.sock
basedir  = /usr
To prevent the error 'Error in accept: Too many open files' set higher open file limits for MariaDB in the file /etc/security/limits.conf.
					sudo nano /etc/security/limits.conf
#ftp             -       chroot          /ftp
#@student        -       maxlogins       4

mysql soft nofile 65535
mysql hard nofile 65535
# End of file
create a new directory mysql.service.d/ in /etc/systemd/system/ and add a new file inside with the code [Service] and LimitNOFILE=infinity.

Reload systemd and restart MariaDB

Check that networking is enable.
					sudo mkdir -p /etc/systemd/system/mysql.service.d/
sudo nano /etc/systemd/system/mysql.service.d/limits.conf
					sudo systemctl daemon-reload
sudo systemctl restart mariadb

sudo netstat -tap | grep mysql
tcp6       0      0 [::]:mysql     [::]:*  LISTEN      1067/mysqld   
open the TLS/SSL and submission ports in Postfix.
Uncomment the submission and smtps sections as follows and add lines where necessary so that this section of the master.cf file looks exactly like the one below. 
IMPORTANT: Remove the # in front of the lines that start with smtps and submission too and not just from the -o lines after these lines!
					sudo nano /etc/postfix/master.cf
smtp      inet  n       -       y       -       -       smtpd
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_tls_auth_only=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
					sudo systemctl restart postfix
We want MySQL to listen on all interfaces, not just localhost. Therefore, you edit the Mariadb server.cnf and comment out the line bind-address = 

Under [mysqld] in 50-server.cnf add some more settings. In an other article I will show you how to use the Raspberry as cloud storage using Nextcloud ans these settings will be neccessary.
					sudo nano /etc/mysql/mariadb.conf.d/50-server.cnf
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address            =
# this is only for the mysqld standalone daemon
innodb_buffer_pool_size = 1G
innodb_io_capacity      = 4000
innodb_file_per_table   = 1
innodb_file_format      = barracuda
innodb_log_file_size    = 512M
innodb_large_prefix     = on
event_scheduler         = on
sql-mode                ="NO_ENGINE_SUBSTITUTION"

# * Basic Settings
Install Amavisd-new, SpamAssassin, and ClamAV
Amavisd-new is a content filter, Spamassassin is a spamfilter and ClamAV is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats.
					sudo apt-get -y install amavisd-new spamassassin clamav clamav-daemon unzip bzip2 arj nomarch lzop cabextract p7zip p7zip-full lrzip apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl libdbd-mysql-perl postgrey
ISPConfig 3 uses amavisd which loads the SpamAssassin filter library internally, so we stop SpamAssassin to free up RAM.
					sudo systemctl stop spamassassin
sudo systemctl disable spamassassin
Install Apache Web Server and PHP
					sudo apt-get -y install apache2 apache2-doc apache2-utils libapache2-mod-php php7.3 php7.3-common php7.3-gd php7.3-mysql php7.3-imap php7.3-cli php7.3-cgi libapache2-mod-fcgid apache2-suexec-pristine php-pear mcrypt  imagemagick libruby libapache2-mod-python php7.3-curl php7.3-intl php7.3-pspell php7.3-recode php7.3-sqlite3 php7.3-tidy php7.3-xmlrpc php7.3-xsl memcached php-memcache php-imagick php-gettext php7.3-zip php7.3-mbstring memcached libapache2-mod-passenger php7.3-soap php7.3-fpm php7.3-opcache php-apcu libapache2-reload-perl
Run the following command to enable the Apache modules suexecrewritesslactions, and include (plus davdav_fs, and auth_digest if you want to use WebDAV).
					sudo a2enmod suexec rewrite ssl actions include dav_fs dav auth_digest cgi headers actions proxy_fcgi alias
To ensure that the server cannot be attacked through the HTTPOXY vulnerability, we will disable the HTTP_PROXY header in apache globally by adding the configuration file /etc/apache2/conf-available/httpoxy.conf.

Note: The vulnerability is named httpoxy (without 'r') and therefore the file where we add to prevent it is named httpoxy.conf and not httproxy.conf, so there is no 'r' missing in the filename.
					sudo nano /etc/apache2/conf-available/httpoxy.conf
					<IfModule mod_headers.c>
    RequestHeader unset Proxy early
					sudo a2enconf httpoxy
sudo systemctl restart apache2
Install Let's Encrypt / acme.sh
ISPConfig is using acme.sh now as Let's Encrypt client. This will be used for free ssl certificates.
					sudo curl https://get.acme.sh | sh -s
Install mailman
ISPConfig allows you to manage (create/modify/delete) Mailman mailing lists.

Create a first mailing list called mailman.
					sudo apt-get -y install mailman
					Choose the lanuages you want to support, for example:
[*] de (German)
[*] en (English)
[*] nl (Dutch)

Choose default language for mailman 

click ok

					sudo newlist mailman
					Enter the email of the person running the list: mailman@example.com
Initial mailman password: *****password****
To finish creating your mailing list, you must edit your /etc/aliases (or
equivalent) file by adding the following lines, and possibly running the
`newaliases' program:

## mailman mailing list
mailman:              "|/var/lib/mailman/mail/mailman post mailman"
mailman-admin:        "|/var/lib/mailman/mail/mailman admin mailman"
mailman-bounces:      "|/var/lib/mailman/mail/mailman bounces mailman"
mailman-confirm:      "|/var/lib/mailman/mail/mailman confirm mailman"
mailman-join:         "|/var/lib/mailman/mail/mailman join mailman"
mailman-leave:        "|/var/lib/mailman/mail/mailman leave mailman"
mailman-owner:        "|/var/lib/mailman/mail/mailman owner mailman"
mailman-request:      "|/var/lib/mailman/mail/mailman request mailman"
mailman-subscribe:    "|/var/lib/mailman/mail/mailman subscribe mailman"
mailman-unsubscribe:  "|/var/lib/mailman/mail/mailman unsubscribe mailman"

Hit enter to notify mailman owner...

pi@aalpi01:~ $ 

					sudo nano /etc/aliases
					Enter the email of the person running the list: mailman@example.com
Initial mailman password: *****password****
To finish creating your mailing list, you must edit your /etc/aliases (or
# See man 5 aliases for format
postmaster:    root
clamav: root

## mailman mailing list
mailman:              "|/var/lib/mailman/mail/mailman post mailman"
mailman-admin:        "|/var/lib/mailman/mail/mailman admin mailman"
mailman-bounces:      "|/var/lib/mailman/mail/mailman bounces mailman"
mailman-confirm:      "|/var/lib/mailman/mail/mailman confirm mailman"
mailman-join:         "|/var/lib/mailman/mail/mailman join mailman"
mailman-leave:        "|/var/lib/mailman/mail/mailman leave mailman"
mailman-owner:        "|/var/lib/mailman/mail/mailman owner mailman"
mailman-request:      "|/var/lib/mailman/mail/mailman request mailman"
mailman-subscribe:    "|/var/lib/mailman/mail/mailman subscribe mailman"
mailman-unsubscribe:  "|/var/lib/mailman/mail/mailman unsubscribe mailman"

Run newaliases and restart postfix.
Enable the Mailman Apache configuration.

Define the alias /cgi-bin/mailman/ for all Apache vhosts. You can access the Mailman admin interface for a list at http://aalpi01.example.com/cgi-bin/mailman/admin/, and the web page for users of a mailing list can be found at http://aalpi01.example.com/cgi-bin/mailman/listinfo/.
Under http://aalpi01.example.com/pipermail you can find the mailing list archives.

Restart apache and mailman.
					sudo newaliases
sudo systemctl restart postfix
sudo ln -s /etc/mailman/apache.conf /etc/apache2/conf-enabled/mailman.conf
sudo systemctl restart apache2
sudo systemctl restart mailman
Install PureFTP
Install pureFTPd
Create the dhparam file for pure-ftpd, this will take some time...(like minutes)

Edit the file /etc/default/pure-ftpd-common and make sure that the start mode is set to standalone and set VIRTUALCHROOT=true
We configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and data are transferred in clear text. By using TLS, the whole communication can be encrypted. In order to use TLS, we must create an SSL certificate.

The certificate is created in /etc/ssl/private/.
					sudo apt-get -y install update-inetd
sudo apt-get -y install pure-ftpd-common pure-ftpd-mysql quota quotatool
sudo openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048
sudo nano /etc/default/pure-ftpd-common
					echo 1 > sudo /etc/pure-ftpd/conf/TLS
sudo mkdir -p /etc/ssl/private/
sudo openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
					Country Name (2 letter code) [AU]: <- Enter your Country Name (e.g., "NL").
State or Province Name (full name) [Some-State]: <- Enter your State or Province Name.
Locality Name (eg, city) []: <- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <- Enter your Organization Name.
Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name (e.g. "IT").
Common Name (eg, YOUR name) []: <-- Enter the FQDN of toyur Raspberry (e.g. "aalpi01.example.com").
Email Address []: <-- Enter your Email Address.
					sudo chmod 600 /etc/ssl/private/pure-ftpd.pem
sudo service pure-ftpd-mysql restart

The use of quota's is allways a tricky moment. If you don't need to set quota's (since it's you home webserver) you can skip this step. 
This time I made it work by creating a link to sda2.
					sudo nano /etc/fstab

					proc            /proc           proc    defaults          0       0
PARTUUID=73d4848d-01  /boot           vfat    defaults          0       2
PARTUUID=73d4848d-02  /               ext4    defaults,noatime,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0  0       1
# a swapfile is not a swap partition, no line here
#   use  dphys-swapfile swap[on|off]  for that
					cd /dev
sudo ln sda2 root
sudo mount -o remount /
sudo quotacheck -avugm
sudo quotaon -avug
Install BIND DNS server
					sudo apt-get -y install bind9 dnsutils
sudo apt-get -y install haveged
Install Webalizer, AWStats and GoAccess
These are the tools to show stats about site visits.

Open awstats and comment all lines.

Installing the latest GoAccess version directly from the GoAccess website.
					sudo apt-get -y install webalizer awstats geoip-database libclass-dbi-mysql-perl libtimedate-perl
sudo nano /etc/cron.d/awstats

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
					sudo apt-get -y install goaccess
sudo nano /etc/goaccess.conf

# Apache/NGINX's log formats below.
time-format %H:%M:%S
date-format %d/%b/%Y
# NCSA Combined Log Format
log-format %h %^[%d:%t %^] "%r" %s %b "%R" "%u"
# name in another variable.
log-format COMBINED
Install Jailkit
Jailkit is needed to chroot SSH users.
					sudo apt-get -y install build-essential autoconf automake libtool flex bison debhelper binutils
cd ~
wget http://olivier.sessink.nl/jailkit/jailkit-2.22.tar.gz
tar xvfz jailkit-2.22.tar.gz
cd jailkit-2.22
echo 5 > sudo debian/compat
sudo ./debian/rules binary
cd ..
sudo dpkg -i jailkit_2.22-1*.deb
sudo rm -rf jailkit-2.* 

Install fail2ban and UFW Firewall
This is optional to install but recommended, because ISPConfig monitor tries to show the log.
					sudo apt-get -y install fail2ban
To make fail2ban monitor PureFTPd and Dovecot, create the file /etc/fail2ban/jail.local and add the following content to it -->

Restart fail2ban and install the UFW firewall.
					sudo systemctl restart fail2ban
sudo apt-get -y install ufw

					sudo nano /etc/fail2ban/jail.local
enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/syslog
maxretry = 3

enabled = true
filter = dovecot
logpath = /var/log/mail.log
maxretry = 5

enabled = true
port = smtp
filter = postfix[mode=auth]
logpath = /var/log/mail.log
maxretry = 3
Install PHPMyAdmin Database Administration Tool
Since PHPMyAdmin is not available as package we will install it from source.
Check https://files.phpmyadmin.net/phpMyAdmin for the latest version!
					sudo mkdir /usr/share/phpmyadmin
sudo mkdir /etc/phpmyadmin
sudo mkdir -p /var/lib/phpmyadmin/tmp
sudo chown -R www-data:www-data /var/lib/phpmyadmin
sudo touch /etc/phpmyadmin/htpasswd.setup
wget https://files.phpmyadmin.net/phpMyAdmin/5.1.1/phpMyAdmin-5.1.1-all-languages.zip
unzip phpMyAdmin-5.1.1-all-languages.zip
sudo mv phpMyAdmin-5.1.1-all-languages/* /usr/share/phpmyadmin/
rm phpMyAdmin-5.1.1-all-languages.zip 
rm -rf phpMyAdmin-5.1.1-all-languages/
sudo cp /usr/share/phpmyadmin/config.sample.inc.php /usr/share/phpmyadmin/config.inc.php

Open the phpmyadmin config file config.inc.php to set a secure password (blowfish secret) which must be 32 chars long and the temp directory.

Don't use the example blowfish secret, set your own one using the Blowfish secret generator
					sudo nano /usr/share/phpmyadmin/config.inc.php
 * This is needed for cookie based authentication to encrypt password in
 * cookie. Needs to be 32 chars long.
$cfg['blowfish_secret'] = 'KXRWk]huhCnr.[ske,5L}TyN1n6ol0dF'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
$cfg['TempDir'] = '/var/lib/phpmyadmin/tmp';
Create the Apache configuration file for PHPMyAdmin by opening a new file in nano editor.
					sudo nano /etc/apache2/conf-available/phpmyadmin.conf
					# phpMyAdmin default Apache configuration

Alias /phpmyadmin /usr/share/phpmyadmin

<Directory /usr/share/phpmyadmin>
 Options FollowSymLinks
 DirectoryIndex index.php

 <IfModule mod_php7.c>
 AddType application/x-httpd-php .php

 php_flag magic_quotes_gpc Off
 php_flag track_vars On
 php_flag register_globals Off
 php_value include_path .


# Authorize for setup
<Directory /usr/share/phpmyadmin/setup>
 <IfModule mod_authn_file.c>
 AuthType Basic
 AuthName "phpMyAdmin Setup"
 AuthUserFile /etc/phpmyadmin/htpasswd.setup
 Require valid-user

# Disallow web access to directories that don't need it
<Directory /usr/share/phpmyadmin/libraries>
 Order Deny,Allow
 Deny from All
<Directory /usr/share/phpmyadmin/setup/lib>
 Order Deny,Allow
 Deny from All
Activate the configuration and restart Apache.
					sudo a2enconf phpmyadmin
sudo systemctl restart apache2
Now let's configure the phpMyadmin configuration store (database). Log into MariaDB as root user.
Create the database and add the user pma. Change the **mypassword** into a secure password!
					mysql -u root -p
					Enter password: ***********
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 37
Server version: 10.3.27-MariaDB-0+deb10u1 Raspbian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> CREATE DATABASE phpmyadmin;
Query OK, 1 row affected (0.001 sec)

MariaDB [(none)]> CREATE USER 'pma'@'localhost' IDENTIFIED BY '**mypassword**';
Query OK, 0 rows affected (0.001 sec)

MariaDB [phpmyadmin]> GRANT ALL PRIVILEGES ON phpmyadmin.* TO 'pma'@'localhost' IDENTIFIED BY '**mypassword**' WITH GRANT OPTION;
Query OK, 0 rows affected (0.001 sec)

MariaDB [phpmyadmin]> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.001 sec)

MariaDB [phpmyadmin]> EXIT;
load the SQL tables into the database.
					mysql -u root -p phpmyadmin < /usr/share/phpmyadmin/sql/create_tables.sql
set the phpmyadmin user details in the configuration file
					sudo nano /usr/share/phpmyadmin/config.inc.php

/* User used to manipulate with storage */
$cfg['Servers'][$i]['controlhost'] = 'localhost';
$cfg['Servers'][$i]['controlport'] = '';
$cfg['Servers'][$i]['controluser'] = 'pma';
$cfg['Servers'][$i]['controlpass'] = '**mypassword**';

/* Storage database and tables */
$cfg['Servers'][$i]['pmadb'] = 'phpmyadmin';
$cfg['Servers'][$i]['bookmarktable'] = 'pma__bookmark';
$cfg['Servers'][$i]['relation'] = 'pma__relation';
$cfg['Servers'][$i]['table_info'] = 'pma__table_info';
$cfg['Servers'][$i]['table_coords'] = 'pma__table_coords';
$cfg['Servers'][$i]['pdf_pages'] = 'pma__pdf_pages';
$cfg['Servers'][$i]['column_info'] = 'pma__column_info';
$cfg['Servers'][$i]['history'] = 'pma__history';
$cfg['Servers'][$i]['table_uiprefs'] = 'pma__table_uiprefs';
$cfg['Servers'][$i]['tracking'] = 'pma__tracking';
$cfg['Servers'][$i]['userconfig'] = 'pma__userconfig';
$cfg['Servers'][$i]['recent'] = 'pma__recent';
$cfg['Servers'][$i]['favorite'] = 'pma__favorite';
$cfg['Servers'][$i]['users'] = 'pma__users';
$cfg['Servers'][$i]['usergroups'] = 'pma__usergroups';
$cfg['Servers'][$i]['navigationhiding'] = 'pma__navigationhiding';
$cfg['Servers'][$i]['savedsearches'] = 'pma__savedsearches';
$cfg['Servers'][$i]['central_columns'] = 'pma__central_columns';
$cfg['Servers'][$i]['designer_settings'] = 'pma__designer_settings';
$cfg['Servers'][$i]['export_templates'] = 'pma__export_templates';
Install Roundcube
Install the RoundCube webmail client. First, we have to create the database for Roundcube manually as there is currently an issue in the RoundCube Debian installer which causes it to fail to create the database automatically.
					echo "CREATE DATABASE roundcube;" | sudo mysql --defaults-file=/etc/mysql/debian.cnf
sudo apt-get -y install roundcube roundcube-core roundcube-mysql roundcube-plugins
					Configure database for roundcube with dbconfig-common? <- <Yes>
MySQL application password for roundcube: <- press enter
					sudo nano /etc/roundcube/config.inc.php

					$config['default_host'] = 'localhost';
$config['smtp_server'] = 'localhost';
$config['smtp_port']  = 25;

$config['product_name'] = 'Laspect webmail';
					sudo nano /etc/apache2/conf-enabled/roundcube.conf

					# Those aliases do not work properly with several hosts on your apache server
# Uncomment them to use it or adapt them to your configuration
#    Alias /roundcube /var/lib/roundcube
Alias /roundcube /var/lib/roundcube
Alias /webmail /var/lib/roundcube
					sudo systemctl reload apache2 
Now you can access RoundCube Webmail as follows:

And after you have installed ISPConfig at:
Install ISPConfig 3.2
ISPConfig allows you to manage websites, email addresses, MariaDB databases, FTP accounts, Shell accounts and DNS records through a web-based interface.
Allways check https://www.ispconfig.org/ispconfig/download/ for the latest version!
					wget https://ispconfig.org/downloads/ISPConfig-3.2.5.tar.gz
tar xvf ISPConfig-3.2.5.tar.gz
cd ispconfig3_install/install/
sudo php -q install.php
 _____ ___________   _____              __ _         ____
|_   _/  ___| ___ \ /  __ \            / _(_)       /__  \
  | | \ `--.| |_/ / | /  \/ ___  _ __ | |_ _  __ _    _/ /
  | |  `--. \  __/  | |    / _ \| '_ \|  _| |/ _` |  |_ |
 _| |_/\__/ / |     | \__/\ (_) | | | | | | | (_| | ___\ \
 \___/\____/\_|      \____/\___/|_| |_|_| |_|\__, | \____/
                                              __/ |

>> Initial configuration  

Operating System: Debian 10.0 (Buster) or compatible

    Following will be a few questions for primary configuration so be careful.
    Default values are in [brackets] and can be accepted with <ENTER>.
    Tap in "quit" (without the quotes) to stop the installer.

Select language (en,de) [en]: en
Installation mode (standard,expert) [standard]: standard
Full qualified hostname (FQDN) of the server, eg server1.domain.tld  [aalpi01.aalbessenstraat.nl]: aalpi01.aalbessenstraat.nl
MySQL server hostname [localhost]: localhost
MySQL server port [3306]: 3306
MySQL root username [root]: root
MySQL root password []: **mypassword**
MySQL database to create [dbispconfig]: dbispconfig
MySQL charset [utf8]: utf8

Configuring Postgrey
Configuring Postfix
Generating a RSA private key
writing new private key to 'smtpd.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:ZH
Locality Name (eg, city) []:The Hague
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Company Name
Organizational Unit Name (eg, section) []:ICT
Common Name (e.g. server FQDN or YOUR name) []:aalpi01.example.com
Email Address []:support@example.com
Configuring Mailman
Configuring Dovecot
Creating new DHParams file, this takes several minutes. Do not interrupt the script.
Configuring Spamassassin
Configuring Amavisd
[INFO] service Rspamd not detected
Configuring Getmail
Configuring Jailkit
Configuring Pureftpd
Configuring BIND
Configuring Apache
Configuring vlogger
[INFO] service OpenVZ not detected
Configuring Ubuntu Firewall
[INFO] service Metronome XMPP Server not detected
Configuring Fail2ban
Installing ISPConfig
ISPConfig Port [8080]: 8080 

Admin password [b5448d96]: **mypassword**

Re-enter admin password []: **mypassword**

Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: y

Checking / creating certificate for aalpi01.aalbessenstraat.nl
Using certificate path /root/.acme.sh/aalpi01.aalbessenstraat.nl
Server's public ip(s) ( not found in A/AAAA records for aalpi01.aalbessenstraat.nl:
Ignore DNS check and continue to request certificate? (y,n) [n]: y

Using apache for certificate validation
acme.sh is installed, overriding certificate path to use /root/.acme.sh/aalpi01.aalbessenstraat.nl
Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: y

Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]: y

Configuring Apps vhost
Configuring DBServer
Installing ISPConfig crontab
no crontab for getmail
Detect IP addresses
Restarting services ...
Installation completed.

Final changes
For the use of other webbased apps we need to make some changes to make them run without errors or warnings. Some settings are overdone, but hey, it's your own home webserver, live life to the max ;-). You can always tweak settings yourself, now that you got your system up and running.
Change php.ini
To upload larger files and to run nextcloud change the following files:

Change values:
max_execution_time = 180
max_input_time = 180
memory_limit = 1024M
upload_max_filesize = 10000M
post_max_size = 512M
session.gc_maxlifetime = 14400
					sudo nano /etc/php/7.3/apache2/php.ini
sudo nano /etc/php/7.3/cgi/php.ini
sudo nano /etc/php/7.3/cli/php.ini
sudo nano /etc/php/7.3/fpm/php.ini
sudo systemctl restart apache2
Install caching
This is needed to run nextcloud.
					sudo apt-get -y install redis-server php-redis
sudo service apache2 restart
sudo update-rc.d redis-server defaults
sudo ps ax | grep redis