Home / How To / How to install an ISPConfig mail server on Debian 10

How to install an ISPConfig mail server on Debian 10

This tutorial uses a simple server setting as an example. ISPConfig 3.1 is installed on Debian 10.0, Buster. I upgraded ISPConfig to 3.1.15 while testing this tutorial.

What is needed

To use this tutorial successfully for a properly functioning email server, you need

  • a host where you install ISPConfig (and an operating system)
  • I recommend 2 GB of memory with 4 GB of bytes, should be sufficient for email server.
  • host must have internet connection with port 25 open both ways
  • host must have a fixed IP address
  • host must have an entry for its IP address (or AAAA if using IPv6)
  • you must create MX record to host DNS name service
  • you must host reverse DNS name service PTR record that matches host FQDN

The memory requirement is for SPAM filters. You can clear 1 GB of memory even with SPAM filters running if the 4 GB switch is there to avoid memory situations.

Open Ports

The mail server must have port 25 open both inbound and outbound. Make sure your host has that port open before setting the mail server to that host.

There are ways to get email working even when port 25 is not open, but that means sending email through another host that has has port 25 open. It may be more meaningful to install the mail server on the second host and forget the first one completely as far as email goes.

DNS name Service records

Email server needs an FQDN, fully qualified domain name (Read about it from Wikipedia: FQDN). In this example, the domain name is taleman.ovh . To show that the hostname of the mail server need not be email, we use posti as the host name. So FQDN is posti.taleman.ovh .

This host is installed in a service provider system, they offer domain registration, name service and reverse name service. I used these.

The IP address is I did the following:

  • registered the domain taleman.ovh
  • added this IP address as a record to DNS name service named posti.taleman.ovh
  • added MX record for domain taleman.ovh with value posti .taleman.ovh
  • added the reverse name service PTR record for that IP address, pointing to posti.taleman.ovh

The MX record is created for the email domain. So I create it for taleman.ovh, and it points to posti.taleman.ovh, the mail server that receives mail for that domain.

Reverse Name Service

Read about reverse name service from Name Service tutorial. In this example, reverse name service must return posti.taleman.ovh.

My service provider checked the presence of a post before adding the corresponding PTR was possible, I had a bit of a problem before thinking it was because the extension failed.

Naming service testing

Better to test naming service now, because sending and receiving emails will not work if the naming service is not set correctly. If your workstation is Windows instead of Linux or Unix, use the nslookup command instead of host.

  $ host taleman.ovh taleman.ovh has address taleman.ovh mail is handled by 10 posti.taleman.ovh. [19659030] The above results show that the domain name has an IP number associated (which in this case differs from the mail server's IP number, but it does not affect email messages), and there is an MX record pointing to mail. taleman.ovh. The "mail managed by" section comes from the MX record. This MX record is needed if mail sent to @ taleman.ovh addresses is to be received at posti.taleman.ovh. 

Then check the name service record for the mail server FQDN (in this case posti.taleman.fi) is an A-mail and points to the correct IP number.

  $ you posti.taleman.ovh | grep "ANSWER SECTION" --after-context = 3 ;; ANSWER SECTION: posti.taleman.ovh. 3600 IN A ;; Question Time: 56 ms 

Finally, check the reverse name service resolves the IP number back to the FQDN on the mail server.

  $ host domain name pointer posti.taleman. ovh. 

Instead of host and dig commands, you can use web pages that test name service. I know intoDNS and MXToolbox.

If you cannot get the above test to succeed, try this setting of the Name Service tutorial.

Installing the OS

I'm using Debian version 10 Buster, so I follow this tutorial:


Change out the IP number, host name and domain name with your hosts.

Since I wrote this tutorial in English I chose English as a language, but Finland as a country and United_Kingdom en_GB.UTF -8 as language setting.

  [email protected]: / tmp # cat / etc / debian_version 10.0 
[email protected]: ~ # locale LANG = en_GB.UTF-8 LANGUAGE = en_GB: en LC_CTYPE = "en_GB.UTF-8" LC_NUMERIC = "en_GB.UTF -8 "LC_TIME =" en_GB.UTF-8 "LC_COLLATE =" en_GB.UTF-8 "LC_MONETARY =" en_GB.UTF-8 "LC_MESSAGES =" en_GB.UTF-8 "LC_PAPER =" en_GB. UTF-8 "LC_NAME = "en_GB.UTF-8" LC_ADDRESS = "en_GB.UTF-8" LC_TELEPHONE = "en_GB .UTF-8" LC_MEASUREMENT = "en_GB.UTF-8" LC_IDENTIFICATION = "en_GB.UTF-8" LC_ALL = [email protected]: ~ # cat / etc / timezone Europe / Helsinki 

Make sure you have set the host name correctly. The email system configuration ISPConfig does will not work if the hostname is incorrect.

  [email protected]: ~ # hostname posti [email protected]: ~ # hostname -f posti.taleman.ovh [email protected]: ~ # 

Install ISPConfig

I choose to install Apache as a web server, so for Debian Buster, I follow this Perfect Server Guide.

I installed the openssh server on the host and set the root login with the ssh key, so I can ssh to the values ​​as root directly. Passwordless logins using OpenSSH or Secure passwordless logins with SSH.

  [email protected]: / tmp # free -h total used free shared buff / cache available Mem: 3.9Gi 53Mi 3.6Gi 15Mi 252Mi 3.6Gi Swap: 4.0Gi 0B 4.0Gi [email protected]: / tmp # df -hT File System Type Size Used Use% Mounted on udev devtmpfs 2.0G 0 2.0G 0% / dev tmpfs tmpfs 395M 16M 380M 4% / run / dev / sda1 ext4 28G 882M 26G 4% / tmpfs tmpfs 2.0G 0 2.0G 0% / dev / shm tmpfs tmpfs 5.0M 0 5.0M 0% / run / lock tmpfs tmpfs 2.0G 0 2.0G 0% / sys / fs / cgroup tmpfs tmpfs 395M 0 395M 0% / run / user / 0 

I prefer Emacs style editors in front of nano, so I'm installing jed now to make editing files nicer. Ads

[19659014] I had / etc / host and / etc / hostname set correctly after installing the operating system, so I verified that they were correct according to Perfect Server Guide. Pay attention to the host name and FQDN, if you move with them you will eventually find that your email server is not working. The damage can be repaired, but it is easier to get right from the start.

  [email protected]: / tmp # hostname posti [email protected]: / tmp # hostname -f posti.taleman.ovh 

For rest, I just follow the Perfect Server Guide. Note that you can mostly cut and paste the commands from the wizard to the command line.

I did not install Mailman, I do not plan to use Mailman on this host. Also, I omitted to install BIND DNS Server, Webalizer, AWStats. I installed Roundcube Webmail because this host becomes an email server.

In Chapter 18 (Installing the PHPMyAdmin Database Administration Tool), I used the command

  / usr / bin / apg -m 32 -x 32 

to generate the 32-character blowfish secret.

Use of systems

Create email domain and mailboxes

Now I log in as an admin to ISPConfig and

  • Add new client
  • Add new domain (Email domain!), And fill in the form
  • Add new mailbox

Create the DKIM keys and record by clicking the buttons in the order numbered in the image. You can read about DKIM on Wikipedia.

  Create email domain in ISPConfig

Figure 1: Create email domain

Then wait for two minutes or until the red ball with numbers in the upper part of the ISPConfig panel disappears.

As the first test, you log into Roundcube Webmail with the above created mailbox and send an email to the same address. ISPConfig sends a welcome message to all created mailboxes, so there should be a message there already. Use the Compose button and write a short test message.

  RoundCube Login

Figure 2: Roundcube webmail

  Send email in Roundcube

Figure 3: Send from Roundcube [19659068] The message should appear shortly in the mailbox. Ads

Then try sending an email to another mailbox you have and can check if the mail is coming there. The next test you can send from somewhere else to the above created mailbox.

Please note that if you have enabled mailing list mailbox, the email sent outside your server will not be sent directly to the mailbox. However, you should see the email log entry from the attempted delivery directly so that you can see that email can reach your server. The greylisting record in the /var/log/mail.log file looks like this:

  29 Aug 19:08:42 posti postfix / smtpd [16911]: NOQUEUE: decline:
RCPT from mta-out1.inet.fi []: 450 4.2.0
<[email protected]>: Recipient's address rejected: Greylisted,
see http://postgrey.schweikert.ch/help/taleman.ovh.html;
from = <****@*****.***> to = <[email protected]> proto = ESMTP
helo = <******.****.***>

You can monitor the email log in a terminal window like this, for example:

  tail -f /var/log/mail.logebrit19659030 ?? Or use these commands if you are only interested in Greylisting entries: 

  tail -f /var/log/mail.log | grep Greylisted 


  grep Greylisted /var/log/mail.log Greece 19659030 Greylisting delays only the first email from the same sender to the same recipient. When the first e-mail is received, the following e-mails will be sent without extra delay. 

In my case, everything worked at the first attempt. This shows that the ISPConfig Perfect Server Guide really works.

Connect Email Client

Using Thunderbird as an Email Client. Other applications for email clients work similarly.

ISPConfig causes the account name to become the email address.

  Thunderbird Account Settings

Figure 4: Thunderbird Account Settings [19659094] Thunderbird Server Settings "width =" 550 "height =" 492 "style =" display: block; margin-left: auto; margin-right: auto; "ezimgfmt =" rs rscb1 src ng ngcb1 "class =" ezlazyload "data-ezsrc =" https://www.howtoforge.com/images/setting_up_e_mail_server_with_ispconfig/Thunderbird_server_settings-550.png "/ ] Figure 5: Thunderbird server settings

Connection security STARTTLS means that the connection starts unprotected and then switches to encrypted if both parties support the encryption SSL / TSL means that the session is initially encrypted. slightly safer, so try if your client works with it.

  Thunderbird Outgoing Mail Server

Figure 6: Thunderbird outgoing server settings

Using SPF [19659013] Read about the Sender Policy Framework from Wikipedia Originally, SPF stood for Sender Permitted From, which is nice to remember what it means. After reading about SPF you can create the post yourself, check if your name provider can generate S PF record or use Internet search engines with the

  SPF guide

find a website that creates the SPF name service record for you. Then cut and paste the record into your name service. Add a TXT record, or maybe on any DNS system add SPF record.

Check what SPF looks like in the name service, like this

  $ you taleman.ovh -t TXT | grep spf taleman.ovh. 3000 IN TXT "v = spf1 mx ~ all" 

Or something like this:

  $ you + short taleman.ovh TXT "v = spf1 mx ~ all" "1 | www.taleman.ovh" 

Usage DKIM

Read about DomainKeys Identified Mail from Wikipedia. ISPConfig created the DKIM keys for you when you created your email domain (if you remember to select the DKIM box). Cut and paste the DNS record that is the public key to your name service as a TXT record. Your name provider may offer a tool to make it easier to create DKIM mail. Keep the DKIM private key secret.

Check how DKIM looks in the name service, like this:

  $ host -t txt default._domainkey.taleman.ovh. default._domainkey.taleman.ovh descriptive text "v = DKIM1; h = sha256; s = *; p = MIIB (I cut long string shorter) 0rp" "sTGLXyK (cut shorter) B; t = s;" 

If it was ISPConfig that created the DKIM keys, the private key is copied to the correct location in amavis settings.

There is a website mail-tester.com that is useful for checking SPF and DKIM works. Go to that site, it provides an email address and you send an email there from your server. Then wait a minute and check the site again.

Creating Certificates

ISPConfig can create self-signed certificates, which are created during the ISPConfig installation if you chose not to create. Even if you created the self-signed certificates, it's a good idea to create the right certificates that browsers, email programs and other email servers trust.

There is a nice tutorial: Secure ISPConfig with a Free Let's # Encrypt SSL Certificate

After that tutorial, I noticed that the created site showed Debian's default site until I created the LE certificate for the site. Although ISPConfig Panel was wonky, I think because it had the self-signed certificate and now this new certificate or no certificate at all. Refreshing pages in the browser sorted this out.

When certificates are set, enter the https address of the server in the browser. Click the icon to the left if the browser's address bar with another mouse button displays information about the certificate. Ads


Go to the ISPConfig Panel System tab, Main Configuration Interface and Mail tab. It set

  Use SSL / TLS encrypted connection for SMTP

to SSL.

Further testing of certificates is possible with tools on websites, use Internet search engines with

  ssl testing

as a keyword. These tools usually test the site, when testing certificates that the mail server has, search with

  ssl test mail server

ISPConfig Roundcube Plugins

These plugins are useful for webmail users. For example, they allow changing email passwords in Roundcube. Some other settings can also be changed in Roundcube. They can all be changed in the ISPConfig panel, but some e-mail users may not want to use the panel.

I installed ISPConfig Rouncube Plugins using the Tutorial ISPConfig 3 Roundcube Plugin on Debian 9. Tutorial worked exactly on Debian 10 Buster, except that now ispconfig3_account / config / config.inc.php has one more row:

  $ config ['soap_validate_cert'] = true;

This may remain true, as the certificate is properly configured and tested in the previous chapter of this manual. However, if the host does not have a valid certificate, change this setting to false.

I had a problem. Some items in the account section show error message

  An error occurred.
Soap error: Login is not allowed from 

I solved this by ticking for remote access and writing posti.taleman.ovh for the rcmail remote user I created after tutorial. It seems that tutorial is wrong if you do not need to tick "Remote Access". Now it seems that it is needed both for single server settings and ISPConfig multiserver installation with a separate e-mail server.

Additional use

You can now create another email domain. Remember to create MX mail for that domain and point it to your mail server. You can use the same mail server for all email domains you create. This is as it usually does, as creating a separate email server for each email domain would be quite a waste.


After this tutorial, my newly configured email server works. . If yours does not work, make sure you have followed this tutorial and not skipped any steps.

Reading the forum has shown common ways of having a mail server that does not work is the wrong setting for hostname and hostname -f and / or errors in file /etc/postfix/main.cf.ebrit19659014??If you suspect problems with DNS name service, check those with DNS with ISPConfig doctrine. There are website tools that control DNS, such as intodns.com, dnschecker.com, mxtoolbox.com.

If e-mails are not received or not sent, it is postfix that performs these functions and they are logged to / var / log / mail.log. So does

  tail -f /var/log/mail.log | grab postfix to see what happens when emails are received or sent. 

If you have trouble connecting to the email client (Thunderbird, for example) use this to see what happens:

  tail -f / var / log /mail.log | grep dovecot 

If a particular email message is problematic, you can find the mail log entries with the IDs of that email. For example:

  September 23 14:19:34 posti postfix / smtps / smtpd [10260]: A9F2880C76:
client = dsl-tkubng21-58c1ce-191.dhcp.inet.fi [],
sasl_method = PLAIN, [email protected]

The ID for that email is A9F2880C76. You can find log entries for that email with

  # grep A9F2880C76 /var/log/mail.logebrit19659030??Command mailq displays emails that are in the delayed queue after mail fix. That is, the e-mails that are not yet delivered. It is normal to have some new items there, emails may not always be delivered immediately. You can see the contents of these emails with queue IDs like this: 

  # postcat / var / spool / postfix / deferred / A / A9F2880C76 

Howtoforge has ISPConfig forum, ask for advice there.

Source link