The Perfect Server - CentOS 6.3 x86_64 (Apache2, Dovecot, ISPConfig 3) - Page 5

17 Install BIND

We can install BIND as follows:

yum install bind bind-utils

Next open /etc/sysconfig/named...

vi /etc/sysconfig/named

... and make sure that the ROOTDIR=/var/named/chroot line is comment out:

# BIND named process options
# ~~~~~~~~~~~~~~~~~~~~~~~~~~
# Currently, you can use the following options:
# ROOTDIR="/var/named/chroot"  --  will run named in a chroot environment.
#                            you must set up the chroot environment
#                            (install the bind-chroot package) before
#                            doing this.
#       NOTE:
#         Those directories are automatically mounted to chroot if they are
#         empty in the ROOTDIR directory. It will simplify maintenance of your
#         chroot environment.
#          - /var/named
#          - /etc/pki/dnssec-keys
#          - /etc/named
#          - /usr/lib64/bind or /usr/lib/bind (architecture dependent)
#         Those files are mounted as well if target file doesn't exist in
#         chroot.
#          - /etc/named.conf
#          - /etc/rndc.conf
#          - /etc/rndc.key
#          - /etc/named.rfc1912.zones
#          - /etc/named.dnssec.keys
#          - /etc/named.iscdlv.key
#       Don't forget to add "$AddUnixListenSocket /var/named/chroot/dev/log"
#       line to your /etc/rsyslog.conf file. Otherwise your logging becomes
#       broken when rsyslogd daemon is restarted (due update, for example).
# OPTIONS="whatever"     --  These additional options will be passed to named
#                            at startup. Don't add -t here, use ROOTDIR instead.
# KEYTAB_FILE="/dir/file"    --  Specify named service keytab file (for GSS-TSIG)
# DISABLE_ZONE_CHECKING  -- By default, initscript calls named-checkzone
#                           utility for every zone to ensure all zones are
#                           valid before named starts. If you set this option
#                           to 'yes' then initscript doesn't perform those
#                           checks.

Make a backup of the existing /etc/named.conf file and create a new one as follows:

cp /etc/named.conf /etc/named.conf_bak
cat /dev/null > /etc/named.conf
vi /etc/named.conf

// named.conf
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
// See /usr/share/doc/bind*/sample/ for example named configuration files.
options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { any; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };
        recursion no;
        allow-recursion { none; };
logging {
        channel default_debug {
                file "data/";
                severity dynamic;
zone "." IN {
        type hint;
        file "";
include "/etc/named.conf.local";

Create the file /etc/named.conf.local that is included at the end of /etc/named.conf (/etc/named.conf.local will later on get populated by ISPConfig if you create DNS zones in ISPConfig):

touch /etc/named.conf.local

Then we create the startup links and start BIND:

chkconfig --levels 235 named on
/etc/init.d/named start


18 Install Webalizer And AWStats

Webalizer and AWStats can be installed as follows:

yum install webalizer awstats perl-DateTime-Format-HTTP perl-DateTime-Format-Builder


19 Install Jailkit

Jailkit is needed only if you want to chroot SSH users. It can be installed as follows (important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!):

cd /tmp
tar xvfz jailkit-2.15.tar.gz
cd jailkit-2.15
make install
cd ..
rm -rf jailkit-2.15*


20 Install fail2ban

This is optional but recommended, because the ISPConfig monitor tries to show the log:

yum install fail2ban

We must configure fail2ban to log to the log file /var/log/fail2ban.log because this is the log file that is monitored by the ISPConfig Monitor module. Open /etc/fail2ban/fail2ban.conf...

vi /etc/fail2ban/fail2ban.conf

... and comment out the logtarget = SYSLOG line and add logtarget = /var/log/fail2ban.log:

# Option:  logtarget
# Notes.:  Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
#          Only one log target can be specified.
# Values:  STDOUT STDERR SYSLOG file  Default:  /var/log/fail2ban.log
#logtarget = SYSLOG
logtarget = /var/log/fail2ban.log

Then create the system startup links for fail2ban and start it:

chkconfig --levels 235 fail2ban on
/etc/init.d/fail2ban start


21 Install rkhunter

rkhunter can be installed as follows:

yum install rkhunter


22 Install Mailman

Since version 3.0.4, ISPConfig also allows you to manage (create/modify/delete) Mailman mailing lists. If you want to make use of this feature, install Mailman as follows:

yum install mailman

Before we can start Mailman, a first mailing list called mailman must be created:

/usr/lib/mailman/bin/newlist mailman

[root@server1 tmp]# /usr/lib/mailman/bin/newlist mailman
Enter the email of the person running the list:
 <-- admin email address, e.g.
Initial mailman password: <-- admin password for the mailman list
To finish creating your mailing list, you must edit your /etc/aliases (or
equivalent) file by adding the following lines, and possibly running the
`newaliases' program:

## mailman mailing list
mailman:              "|/usr/lib/mailman/mail/mailman post mailman"
mailman-admin:        "|/usr/lib/mailman/mail/mailman admin mailman"
mailman-bounces:      "|/usr/lib/mailman/mail/mailman bounces mailman"
mailman-confirm:      "|/usr/lib/mailman/mail/mailman confirm mailman"
mailman-join:         "|/usr/lib/mailman/mail/mailman join mailman"
mailman-leave:        "|/usr/lib/mailman/mail/mailman leave mailman"
mailman-owner:        "|/usr/lib/mailman/mail/mailman owner mailman"
mailman-request:      "|/usr/lib/mailman/mail/mailman request mailman"
mailman-subscribe:    "|/usr/lib/mailman/mail/mailman subscribe mailman"
mailman-unsubscribe:  "|/usr/lib/mailman/mail/mailman unsubscribe mailman"

Hit enter to notify mailman owner...
 <-- ENTER

[root@server1 tmp]#

Open /etc/aliases afterwards...

vi /etc/aliases

... and add the following lines:

mailman:              "|/usr/lib/mailman/mail/mailman post mailman"
mailman-admin:        "|/usr/lib/mailman/mail/mailman admin mailman"
mailman-bounces:      "|/usr/lib/mailman/mail/mailman bounces mailman"
mailman-confirm:      "|/usr/lib/mailman/mail/mailman confirm mailman"
mailman-join:         "|/usr/lib/mailman/mail/mailman join mailman"
mailman-leave:        "|/usr/lib/mailman/mail/mailman leave mailman"
mailman-owner:        "|/usr/lib/mailman/mail/mailman owner mailman"
mailman-request:      "|/usr/lib/mailman/mail/mailman request mailman"
mailman-subscribe:    "|/usr/lib/mailman/mail/mailman subscribe mailman"
mailman-unsubscribe:  "|/usr/lib/mailman/mail/mailman unsubscribe mailman"



afterwards and restart Postfix:

/etc/init.d/postfix restart

Now open the Mailman Apache configuration file /etc/httpd/conf.d/mailman.conf...

vi /etc/httpd/conf.d/mailman.conf

... and add the line ScriptAlias /cgi-bin/mailman/ /usr/lib/mailman/cgi-bin/. Comment out Alias /pipermail/ /var/lib/mailman/archives/public/ and add the line Alias /pipermail /var/lib/mailman/archives/public/:

#  httpd configuration settings for use with mailman.
ScriptAlias /mailman/ /usr/lib/mailman/cgi-bin/
ScriptAlias /cgi-bin/mailman/ /usr/lib/mailman/cgi-bin/
<Directory /usr/lib/mailman/cgi-bin/>
    AllowOverride None
    Options ExecCGI
    Order allow,deny
    Allow from all

#Alias /pipermail/ /var/lib/mailman/archives/public/
Alias /pipermail /var/lib/mailman/archives/public/
<Directory /var/lib/mailman/archives/public>
    Options Indexes MultiViews FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
    AddDefaultCharset Off
# Uncomment the following line, to redirect queries to /mailman to the
# listinfo page (recommended).
# RedirectMatch ^/mailman[/]*$ /mailman/listinfo

Restart Apache:

/etc/init.d/httpd restart

Create the system startup links for Mailman and start it:

chkconfig --levels 235 mailman on
/etc/init.d/mailman start

After you have installed ISPConfig 3, you can access Mailman as follows:

You can use the alias /cgi-bin/mailman for all Apache vhosts (please note that suExec and CGI must be disabled for all vhosts from which you want to access Mailman!), which means you can access the Mailman admin interface for a list at http://<vhost>/cgi-bin/mailman/admin/<listname>, and the web page for users of a mailing list can be found at http://<vhost>/cgi-bin/mailman/listinfo/<listname>.

Under http://<vhost>/pipermail/<listname> you can find the mailing list archives.

Share this page:

19 Comment(s)

Add comment


From: Dylan Myers at: 2012-08-11 06:32:05

Anyone who uses this tutorial should be aware of this bug with the changes ISPConfig3 makes to dovecot on Fedora/CentOS installs:

From: Anonymous at: 2012-07-16 15:11:18

You'll also need to install php-common

 yum install php-common

From: Jack at: 2013-01-05 16:55:42

EPEL name has been upgraded to:

From: at: 2013-01-20 16:21:31

Yum installed dovecot 2.0.9.el6_1.1

and  dovecot-mysql 2.0.9-2.el6_1.1

 This seems to cause a failure in amavis:

amavis[8819]: (08819-01-10) Blocked MTA-BLOCKED in maillog

I have tried 

mv /etc/dovecot/dovecot.conf /etc/dovecot/

cp /etc/dovecot.conf /etc/dovecot/dovecot.conf


service dovecot restart

service amavisd restart

service postfix restart


# this seems to have worked ok for me - mail now being sent out.

From: at: 2013-01-29 20:31:31

I was having errors in my maillog as follows;

Jan 29 20:18:45 centos postfix/smtpd[25440]: warning: SASL: Connect to private/auth failed: No such file or directory
Jan 29 20:18:45 centos postfix/smtpd[25440]: fatal: no SASL authentication mechanisms

The comment above from DFen;

mv /etc/dovecot/dovecot.conf /etc/dovecot/
cp /etc/dovecot.conf /etc/dovecot/dovecot.conf
This fixed my issues

From: noro at: 2012-10-02 18:26:04

pureftp dont use certificat in /etc/ssl/private/
but in /etc/pki/pure-ftpd

commnad for generate certificate:
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/pki/pure-ftpd/pure-ftpd.pem -out /etc/pki/pure-ftpd/pure-ftpd.pem

thanks for this tutorial

From: MLK Dual Production at: 2012-12-16 15:53:37

Thank you for the helpful and well explained tutorial.
For some reason the link to download mod_ruby (wget is not working.

Here is one that works


From: Anonymous at: 2012-12-19 09:45:54


Thank for walkthrough

From: Anonymous at: 2013-03-31 00:04:26

I found that on some setups phpmyadmin and squirrelmail can't load. By editing the "squirrelmail.conf" and "phpmyadmin.conf" file in "/etc/httpd/conf" and adding

<Directory "/usr/share/phpmyadmin">

  <IfModule prefork.c>

LoadModule php5_module modules/


<IfModule !prefork.c>

  LoadModule php5_module modules/



# Cause the PHP interpreter to handle files with a .php extension.


<FilesMatch \.php$>

    SetHandler application/x-httpd-php


  Order Allow,Deny

  Allow from all


From: CanaDave at: 2012-07-14 23:37:56 should mention that when you start named:

/etc/init.d/named start takes a few minutes to generate a key...I thought it was crashed so I Ctrl-C'd it a couple of times then eventually I found how to generate the key manually:

]# rndc-confgen -a

]# chmod 666 /etc/rndc.key


]# chkconfig --levels 235 named on
]# /etc/init.d/named start

...I don't know if it would have generated the key on its own, it did say 'Generate Key': but seemed to be waiting for input from me.

Anyway, cool walkthrough...I set it up in a VM in Hyper-V...


From: Pedro Rocha at: 2012-09-27 10:15:18

Vlogger seems no longer available, is there any alternative or does ispconfig really need this?

From: life_watcher at: 2013-01-10 03:54:29

Great tutorial! Thank you!

a little addition - fail2ban seems to conflict with bastille and disable firewall set by ISPConfig (with uses bastille to manage iptables). As result no active firewall except fail2ban rules... I had to remove fail2ban to make it working...

Thank you! 


From: at: 2013-01-11 12:17:30

i will sugest fail2ban + APF  and just disable the ispconfig firewall ( only if you have CLI access )

From: Anonymous at: 2012-09-22 02:36:42

Thank you !

 Best TUTORIAL I'v found online, up-to-date everything just works, unlike many other - half-finished tutorials!!!!

Thanks for your time. 


From: Mike at: 2012-09-29 23:56:03

Simply awesome. Thank you. Only wish I would have come across this information 3 days ago.

From: Anonymous at: 2013-02-07 04:55:07


From: Gijsbert at: 2012-10-21 18:02:48

It's a good tutorial, but I found 2 things that doesn't seem to be right:

1) During the installation of webalizer and awstats an error occurs "No package awstats available". I have no idea where to get it, I checked the art, dag and epel repositories, but no awstats (anymore) :(

2) On a 64-bits Centos 6.3 OS, when installing mod_python the apache error log shows:

[Sun Oct 21 17:48:08 2012] [error] python_init: Python version mismatch, expected '2.6.5', found '2.6.6'.
[Sun Oct 21 17:48:08 2012] [error] python_init: Python executable found '/usr/bin/python'.
[Sun Oct 21 17:48:08 2012] [error] python_init: Python path being used '/usr/lib64/'.

I heard that it's better to remove mod_python and use mod_wsgi instead. I tried this and the errors are gone. However it does show a warning in the error_log:

[Sun Oct 21 20:00:08 2012] [warn] mod_wsgi: Compiled for Python/2.6.2.
[Sun Oct 21 20:00:08 2012] [warn] mod_wsgi: Runtime using Python/2.6.6.

Maybe you can rewrite the manual for these 2 issues so it will be even better in the (near) future!

From: Anonymous at: 2013-02-26 19:30:04

After Install ISPCONFIG 3 ,admin painel show apache test

From: at: 2013-03-30 17:45:19