The Perfect Server CentOS 7.2 with Apache, Postfix, Dovecot, Pure-FTPD, BIND and ISPConfig 3.1

This tutorial shows the installation of ISPConfig 3.1 on a CentOS 7.2 (64Bit) server. ISPConfig is a web hosting control panel that allows you to configure the following services through a web browser: Apache web server, Postfix mail server, MySQL, BIND nameserver, PureFTPd, SpamAssassin, ClamAV, Mailman, and many more.

1 Requirements

To install such a system you will need the following:

  • A Centos 7.2 minimal server system. This can be a server installed from scratch as described in our Centos 7.2 minimal server tutorial or a virtual-server or root-server from a hosting company that has a minimal Centos 7.1 setup installed.
  • A fast Internet connection.


2 Preliminary Note

In this tutorial, I use the hostname with the IP address and the gateway These settings might differ for you, so you have to replace them where appropriate.

Please note that HHVM and XMPP are not supported in ISPConfig for the CentOS platform yet. If you like to manage an XMPP chat server from within ISPConfig or use HHVM (Hip Hop Virtual Machine) in an ISPConfig website, then please use Debian 8 or Ubuntu 16.04 as server OS instead of CentOS 7.2.

3 Prepare the server

Set the keyboard layout

In case that the keyboard layout of the server does not match your keyboard, you can switch to the right keyboard (in my case "de" for a german keyboard layout, with the localectl command:

localectl set-keymap de

To get a list of all available keymaps, run:

localectl list-keymaps

I want to install ISPConfig at the end of this tutorial, ISPConfig ships with the Bastille firewall script that I like to use as firewall, therefor I disable the default CentOS firewall now. Of course, you are free to leave the CentOS firewall on and configure it to your needs (but then you shouldn't use any other firewall later on as it will most probably interfere with the CentOS firewall).


yum -y install net-tools
systemctl stop firewalld.service
systemctl disable firewalld.service

to stop and disable the CentOS firewall. It is ok wnen you get errors here, this just indicates that the firewall was not installed.

Then you should check that the firewall has really been disabled. To do so, run the command:

iptables -L

The output should look like this:

[[email protected] ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Or use the firewall-cmd command:

firewall-cmd --state

[[email protected] ~]# firewall-cmd --state
not running
[[email protected] ~]#

Now I will install the network configuration editor and the shell based editor "nano" that I will use in the next steps to edit the config files:

yum -y install nano wget NetworkManager-tui

If you did not configure your network card during the installation, you can do that now. Run...


... and go to Edit a connection:

Select your network interface:

Then fill in your network details - disable DHCP and fill in a static IP address, a netmask, your gateway, and one or two nameservers, then hit Ok:

Next select OK to confirm the changes that you made in the network settings

and Quit to close the nmtui network configuration tool.

You should run


now to check if the installer got your IP address right:

[[email protected] ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet  netmask  broadcast
        inet6 fe80::20c:29ff:fecd:cc52  prefixlen 64  scopeid 0x20

        ether 00:0c:29:cd:cc:52  txqueuelen 1000  (Ethernet)
        RX packets 55621  bytes 79601094 (75.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 28115  bytes 2608239 (2.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet  netmask
        inet6 ::1  prefixlen 128  scopeid 0x10
        loop  txqueuelen 0  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

If your network card does not show up there, then it not be enabled on boot, In this case, open the file /etc/sysconfig/network-scripts/ifcfg-eth0

nano /etc/sysconfig/network-scripts/ifcfg-ens33

and set ONBOOT to yes:


and reboot the server.

Check your /etc/resolv.conf if it lists all nameservers that you've previously configured:

cat /etc/resolv.conf

If nameservers are missing, run


and add the missing nameservers again.

Now, on to the configuration...


Adjust /etc/hosts

Next we will edit /etc/hosts. Make it look like this:

nano /etc/hosts   localhost localhost.localdomain localhost4 localhost4.localdomain4 server1

::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

Disable SELinux

SELinux is a security extension of CentOS that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only SELinux was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).

Edit /etc/selinux/config and set SELINUX=disabled:

nano /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.

Afterwards we must reboot the system:



4 Enable Additional Repositories and Install Some Software

First, we import the GPG keys for software packages:

rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*

Then we enable the EPEL repository on our CentOS system as lots of the packages that we are going to install in the course of this tutorial are not available in the official CentOS 7 repository:

yum -y install epel-release

yum -y install yum-priorities

Edit /etc/yum.repos.d/epel.repo...

nano /etc/yum.repos.d/epel.repo

... and add the line priority=10 to the [epel] section:

name=Extra Packages for Enterprise Linux 7 - $basearch

Then we update our existing packages on the system:

yum -y update

Now we install some software packages that are needed later on:

yum -y groupinstall 'Development Tools'


5 Quota

(If you have chosen a different partitioning scheme than I did, you must adjust this chapter so that quota applies to the partitions where you need it.)

To install quota, we run this command:

yum -y install quota

Now we check if quota is already enabled for the filesystem where the website (/var/www) and maildir data (var/vmail) is stored. In this example setup, I have one big root partition, so I search for ' / ':

mount | grep ' / '

[[email protected] ~]# mount | grep ' / '
/dev/mapper/centos-root on / type xfs (rw,relatime,attr2,inode64,noquota)
[[email protected] ~]#

If you have a separate /var partition, then use:

mount | grep ' /var '

instead. If the line contains the word "noquota", then proceed with the following steps to enable quota.

Enabling quota on the / (root) partition

Normally you would enable quota in the /etc/fstab file, but if the filesystem is the root filesystem "/", then quota has to be enabled by a boot parameter of the Linux Kernel.

Edit the grub configuration file:

nano /etc/default/grub

search fole the line that starts with GRUB_CMDLINE_LINUX and add rootflags=uquota,gquota to the commandline parameters so that the resulting line looks like this:

GRUB_CMDLINE_LINUX="crashkernel=auto rhgb quiet rootflags=uquota,gquota"

and apply the changes by running the following command.

cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg_bak
grub2-mkconfig -o /boot/grub2/grub.cfg

and reboot the server.


Now check if quota is enabled:

mount | grep ' / '

[[email protected] ~]# mount | grep ' / '
/dev/mapper/centos-root on / type xfs (rw,relatime,attr2,inode64,usrquota,grpquota)
[[email protected] ~]#

When quota is active, we can see "usrquota,grpquota" in the mount option list.


Enabling quota on a separate /var partition

If you have a separate /var partition, then edit /etc/fstab and add ,uquota,gquota to the / partition (/dev/mapper/centos-var):

nano /etc/fstab

# /etc/fstab
# Created by anaconda on Sun Sep 21 16:33:45 2014
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
/dev/mapper/centos-root / xfs defaults 1 1
/dev/mapper/centos-var /var xfs defaults,uquota,gquota 1 2
UUID=9ac06939-7e43-4efd-957a-486775edd7b4 /boot xfs defaults 1 3
/dev/mapper/centos-swap swap swap defaults 0 0

Then run

mount -o remount /var

quotacheck -avugm
quotaon -avug

to enable quota. When you get an error that there is no partition with quota enabled, then reboot the server before you proceed.


6 Install Apache, MySQL, phpMyAdmin

We can install the needed packages with one single command:

yum -y install ntp httpd mod_ssl mariadb-server php php-mysql php-mbstring phpmyadmin

To ensure that the server can not be attacked trough the HTTPOXY vulnerability, we will disable the HTTP_PROXY header in apache globally. 

Add the apache header rule at the end of the httpd.conf file:

echo "RequestHeader unset Proxy early" >> /etc/httpd/conf/httpd.conf

And restart httpd to apply the configuration change.

service httpd restart


Share this page:

30 Comment(s)

Add comment


From: Jay Martin at: 2016-06-24 13:41:47

It would be cool to have this with the Horde 5 webmail front end.

From: leon at: 2016-06-30 15:31:02

python gives a .git error  solve it by running this in the install dir

sed \ -e 's/(git describe --always)/(git describe --always 2>\/dev\/null)/g' \ -e 's/`git describe --always`/`git describe --always 2>\/dev\/null`/g' \ -i $( find . -type f -name Makefile\* -o -name )


From: Alison at: 2016-07-06 10:36:51

Item 12 refers to "ISPConfig 3 allows you to use mod_php, mod_fcgi/PHP5, cgi/PHP5, and suPHP on a per website basis". Whereas the tutorial for 7.1 includes instruction to build suPHP the 7.2 tutorial doesn't. Is it still necessary to build it?

From: till at: 2016-07-06 12:45:18

SuPHP should not be used anymore, that's why it was removed from this tutorial. Nevertheless, ISPConfig supports it for downwards compatibility.

From: brody at: 2016-07-12 22:22:58

I am getting an error when I do a security check "Deprecated SSL Protocol Usage"..

how do I to SSL 2.0 and SSL 3.0, and use TLS 1.0 or newer?

From: peri0603 at: 2016-07-31 15:42:50

Why don't you edit /etc/hostname here like you do in the debian perfect server tutorials...

From: Phillip Stephens at: 2016-08-04 02:38:03

In the second step you have us run the command "cat /dev/null > /etc/named.conf" for me this completely wipes my named.conf file. Am I getting the syntax wrong or did I miss a vital step where this data was written to /dev/null? Also, thanks for such a great tutorial!

From: till at: 2016-08-04 06:18:04

Yes, thats the intention of the command as its easier to wipe the whole file then deleting each line inside one by one. Then in the next command you edit the file with nano and insert the content as shown in the tutorial. and proceed with the next steps of the tutorial. There is no syntax error, just follow the tutorial step by step until the end, I just tested it here again. The tutorial is finished after you installed ispconfig, the servicces are configured by ispconfig so do not try to test them in unfinished installation stabe before you installed ispconfig

From: Bayart at: 2016-08-20 11:29:11

How to fix following error?

I can't sent mail to other mail server.

Aug 19 22:59:01 systemd[1]: Failed to start Amavisd-new is an interface between MTA and content checkers..

Aug 19 22:59:01 systemd[1]: Unit amavisd.service entered failed state.

Aug 19 22:59:01 systemd[1]: amavisd.service failed.

Aug 19 22:59:01 systemd[1]: amavisd.service holdoff time over, scheduling restart.

Aug 19 22:59:01 systemd[1]: start request repeated too quickly for amavisd.service

Aug 19 22:59:01 systemd[1]: Failed to start Amavisd-new is an interface between MTA and content checkers..

Aug 19 22:59:01 systemd[1]: Unit amavisd.service entered failed state.

Aug 19 22:59:01 systemd[1]: amavisd.service failed.



From: Christovampaynes at: 2016-10-24 02:49:46

you need to configure the server's hostname. It needs to respond to the fqdn.

hostname -f


Also check in /etc/amavisd/amavisd.conf, if the variable $ mydomain is the FQDN.

$ Domain = '';

From: grasomega at: 2016-08-27 11:39:56

Thanks for the (always) great tutorial!

Just wanted to note that I had to write ",usrquota,grpquota" in /etc/fstab for the /var partition. I used standard partitioning, not LVM.

From: Mars at: 2016-09-03 16:04:16

If I don't want mail and DNS, can I just skip the install of Postfix, Dovecot and BIND? Or will I run into trouble while installing ISPConfig?

From: Caner at: 2016-09-15 23:41:35

I received this error while installing ISPConfig

[INFO] service Postgrey not detected


From: dragosl at: 2016-09-30 19:03:44

yum -y install postgrey; systemctl enable postgrey; systemctl start postgrey

From: CBHedricks at: 2016-09-21 17:54:42

Thank you for a great walk thru / tutorial on CentOS server setup, I have my website running now and it works perfectly.  The downside is that Roundcube will not connect to the server no matter what I try.  I believe that I am missing something (setup wise) in the roundcube section, as when reached the "installer page" on the browser it did not match your guide at all.

Everytime I start roundcube it errors out immediately "cannot find /" and tells me to read installation instructions...  Strange as I have verified the file exists and is as it should be in /etc/roundcubemail/ on my servier.

Any thoughts?



From: sebastien douville at: 2016-09-28 05:39:37

I installed that configuration server with ovh domain name and i receive :"Rejected request from RFC1918 IP to public server address".

does someone can help me to resolve that problem.


From: dragosl at: 2016-09-28 20:43:55

Just installed:

1. postgrey not available unless "yum install postgrey"

2. mailman installed as per howto however upon ispconfig installation i get [INFO] service Mailman not detected


[[email protected] install]# systemctl status mailman

? mailman.service - GNU Mailing List Manager

   Loaded: loaded (/usr/lib/systemd/system/mailman.service; enabled; vendor preset: disabled)

   Active: active (running) since Wed 2016-09-28 22:52:16 EEST; 39min ago

 Main PID: 23422 (mailmanctl)

   CGroup: /system.slice/mailman.service

           ??23422 /usr/bin/python /usr/lib/mailman/bin/mailmanctl -s start

           ??23423 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=ArchRunner:0:1 -s

           ??23424 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=BounceRunner:0:1 -s

           ??23425 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=CommandRunner:0:1 -s

           ??23426 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=IncomingRunner:0:1 -s

           ??23427 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=NewsRunner:0:1 -s

           ??23428 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=OutgoingRunner:0:1 -s

           ??23429 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=VirginRunner:0:1 -s

           ??23430 /usr/bin/python /usr/lib/mailman/bin/qrunner --runner=RetryRunner:0:1 -s


From: dragosl at: 2016-09-29 13:37:07

The second part regarding mailman not detected by ISPconfig although it is enabled and running.. now I've reverted back to the snapshot taken right before ispconfig installation.. so until I install ISPconfig again, where should I look to ensure ispconfig will detect mailman?

From: till at: 2016-09-29 13:44:37

ISPConfig uses the which command to find mailman. Seems as if CentOS installs mailman outside of the path so that the which command can not find it. Find out where mailman is installed and add its path to the PATH variable or alternativly place a symlink to mailman in a place that is in the path like /usr/bin.

From: dragosl at: 2016-09-29 20:08:11

"which" indeed didn't ring any bell. Searching for a file named mailman produced the below.



Probably the first is worth creating a link to.. I'll give it a try.

From: dragosl at: 2016-09-30 19:06:13

To fix the Mailman issue:

ln -s /usr/lib/mailman/mail/mailman /usr/bin/mailman

From: Markus Petzsch at: 2016-09-29 17:54:37

One addition so dnssec works:

After installing haveged we need to enable the "init" script. :-)

systemctl enable haveged

From: dragosl at: 2016-09-30 19:57:01


What about [INFO] service Metronome XMPP Server not detected? Can't see any info on it in the tutorial.

From: ServerDad at: 2016-10-01 13:43:14

Hi, I'm at the step where I've added rootflags=uquota,gquota to grub and rebooted.  I can no longer log in through Putty, but I can access the server through a web console.  My server is in Emergency mode.  Here is the error that I'm receiving:

[1.444280] EXT4-fs (vda1): Unrecognized mount option "uquota" or missing value

Could someone point me in the right direction to correct this?


From: peter klinser at: 2016-10-03 08:18:11

hellohave installed the perfect server centos 7.2 with ispconfig.but if i want to see the webinterface there is no connection.apache is running, have firewall and NAT to the internal ip, all ports are forwarding.i always get connection timeout. putty is working with the offizial ip, so portforwarding is working correctly.have installed the vmware image ( OVA )what can i do?thanks a lot  


From: till at: 2016-10-03 10:24:02

Please make a post in the forum so we can help you to find out what is blocking port 8080 in your setup.

From: Alex at: 2016-10-03 16:57:52

Help.  Amavisd service status=255 when trying to start.

Are there not changes required to be made of the configuration file in order for this to start?



From: Jon at: 2016-10-09 16:05:05

Hi, thanks for the guide, this is really useful.

I'm trying to figure out why you choosed to place certbot in /opt/ while jailkit goes under /usr/local/src.


From: Randy at: 2016-10-12 02:19:56

Great tutorial - thanks.

Freshclam also needs an edit to /etc/sysconfig/freshclam which disables Freshclam by default.

From: Christovampaynes at: 2016-10-24 02:53:12


I passed the error below:

 status=deferred (SASL authentication failed; cannot authenticate to server[]: no mechanism available)


yum install cyrus-sasl-sql cyrus-sasl-plain cyrus-sasl-lib