There is a new version of this tutorial available for CentOS 7.6.

The Perfect Server CentOS 7.3 with Apache, Postfix, Dovecot, Pure-FTPD, BIND and ISPConfig 3.1

This tutorial shows the installation of ISPConfig 3.1 on a CentOS 7.3 (64Bit) server. ISPConfig is a web hosting control panel that allows you to configure the following services through a web browser: Apache web server, Postfix mail server, MySQL, BIND nameserver, PureFTPd, SpamAssassin, ClamAV, Mailman, and many more.

1 Requirements

To install such a system you will need the following:

  • A Centos 7.3 minimal server system. This can be a server installed from scratch as described in our Centos 7.3 minimal server tutorial or a virtual-server or root-server from a hosting company that has a minimal Centos 7.3 setup installed.
  • A fast Internet connection.

 

2 Preliminary Note

In this tutorial, I use the hostname server1.example.com with the IP address 192.168.1.100 and the gateway 192.168.1.1. These settings might differ for you, so you have to replace them where appropriate.

Please note that HHVM and XMPP are not supported in ISPConfig for the CentOS platform yet. If you like to manage an XMPP chat server from within ISPConfig or use HHVM (Hip Hop Virtual Machine) in an ISPConfig website, then please use Debian 8 or Ubuntu 16.04 as server OS instead of CentOS 7.3.

3 Prepare the server

Set the keyboard layout

In case that the keyboard layout of the server does not match your keyboard, you can switch to the right keyboard (in my case "de" for a german keyboard layout, with the localectl command:

localectl set-keymap de

To get a list of all available keymaps, run:

localectl list-keymaps

I want to install ISPConfig at the end of this tutorial, ISPConfig ships with the Bastille firewall script that I will use as firewall, therefor I disable the default CentOS firewall now. Of course, you are free to leave the CentOS firewall on and configure it to your needs (but then you shouldn't use any other firewall later on as it will most probably interfere with the CentOS firewall).

Run...

yum -y install net-tools
systemctl stop firewalld.service
systemctl disable firewalld.service

to stop and disable the CentOS firewall. It is ok when you get errors here, this just indicates that the firewall was not installed.

Then you should check that the firewall has really been disabled. To do so, run the command:

iptables -L

The output should look like this:

[[email protected] ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Or use the firewall-cmd command:

firewall-cmd --state
[[email protected] ~]# firewall-cmd --state
not running
[[email protected] ~]#

Now I will install the network configuration editor and the shell based editor "nano" that I will use in the next steps to edit the config files:

yum -y install nano wget NetworkManager-tui

If you did not configure your network card during the installation, you can do that now. Run...

nmtui

... and go to Edit a connection:

Select your network interface:

Then fill in your network details - disable DHCP and fill in a static IP address, a netmask, your gateway, and one or two nameservers, then hit Ok:

Next select OK to confirm the changes that you made in the network settings

and Quit to close the nmtui network configuration tool.

You should run

ifconfig

now to check if the installer got your IP address right:

[[email protected] ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.100  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::20c:29ff:fecd:cc52  prefixlen 64  scopeid 0x20

        ether 00:0c:29:cd:cc:52  txqueuelen 1000  (Ethernet)
        RX packets 55621  bytes 79601094 (75.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 28115  bytes 2608239 (2.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10
        loop  txqueuelen 0  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

If your network card does not show up there, then it not be enabled on boot, In this case, open the file /etc/sysconfig/network-scripts/ifcfg-eth0

nano /etc/sysconfig/network-scripts/ifcfg-ens33

and set ONBOOT to yes:

[...]
ONBOOT=yes
[...]

and reboot the server.

Check your /etc/resolv.conf if it lists all nameservers that you've previously configured:

cat /etc/resolv.conf

If nameservers are missing, run

nmtui

and add the missing nameservers again.

Now, on to the configuration...

 

Adjusting /etc/hosts and /etc/hostname

Next, we will edit /etc/hosts. Make it look like this:

nano /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
192.168.1.100   server1.example.com     server1

::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

Set the hostname in the /etc/hostname file. The file shall contain the fully qualified domain name (e.g. server1.example.com in my case) and not just the short name like "server1". Open the file with the nano editor:

nano /etc/hostname

And set the hostname in the file.

server1.example.com

Save the file and exit nano.

Disable SELinux

SELinux is a security extension of CentOS that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only SELinux was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).

Edit /etc/selinux/config and set SELINUX=disabled:

nano /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Afterwards we must reboot the system:

reboot

 

4 Enable Additional Repositories and Install Some Software

First, we import the GPG keys for software packages:

rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*

Then we enable the EPEL repository on our CentOS system as lots of the packages that we are going to install in the course of this tutorial are not available in the official CentOS 7 repository:

yum -y install epel-release
yum -y install yum-priorities

Edit /etc/yum.repos.d/epel.repo...

nano /etc/yum.repos.d/epel.repo

... and add the line priority=10 to the [epel] section:

[epel]
name=Extra Packages for Enterprise Linux 7 - $basearch
#baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch
mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch
failovermethod=priority
enabled=1
priority=10
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
[...]

Then we update our existing packages on the system:

yum -y update

Now we install some software packages that are needed later on:

yum -y groupinstall 'Development Tools'

 

5 Quota

(If you have chosen a different partitioning scheme than I did, you must adjust this chapter so that quota applies to the partitions where you need it.)

To install quota, we run this command:

yum -y install quota

Now we check if quota is already enabled for the filesystem where the website (/var/www) and maildir data (var/vmail) is stored. In this example setup, I have one big root partition, so I search for ' / ':

mount | grep ' / '
[[email protected] ~]# mount | grep ' / '
/dev/mapper/centos-root on / type xfs (rw,relatime,attr2,inode64,noquota)
[[email protected] ~]#

If you have a separate /var partition, then use:

mount | grep ' /var '

instead. If the line contains the word "noquota", then proceed with the following steps to enable quota.

Enabling quota on the / (root) partition

Normally you would enable quota in the /etc/fstab file, but if the filesystem is the root filesystem "/", then quota has to be enabled by a boot parameter of the Linux Kernel.

Edit the grub configuration file:

nano /etc/default/grub

search fole the line that starts with GRUB_CMDLINE_LINUX and add rootflags=uquota,gquota to the commandline parameters so that the resulting line looks like this:

GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet rootflags=uquota,gquota"

and apply the changes by running the following command.

cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg_bak
grub2-mkconfig -o /boot/grub2/grub.cfg

and reboot the server.

reboot

Now check if quota is enabled:

mount | grep ' / '
[[email protected] ~]# mount | grep ' / '
/dev/mapper/centos-root on / type xfs (rw,relatime,attr2,inode64,usrquota,grpquota)
[[email protected] ~]#

When quota is active, we can see "usrquota,grpquota" in the mount option list.

 

Enabling quota on a separate /var partition

If you have a separate /var partition, then edit /etc/fstab and add ,uquota,gquota to the / partition (/dev/mapper/centos-var):

nano /etc/fstab

#
# /etc/fstab
# Created by anaconda on Sun Sep 21 16:33:45 2014
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/centos-root /                       xfs     defaults        1 1
/dev/mapper/centos-var /var                     xfs     defaults,uquota,gquota        1 2
UUID=9ac06939-7e43-4efd-957a-486775edd7b4 /boot                   xfs     defaults        1 3
/dev/mapper/centos-swap swap                    swap    defaults        0 0

Then run

mount -o remount /var
quotacheck -avugm
quotaon -avug

to enable quota. When you get an error that there is no partition with quota enabled, then reboot the server before you proceed.

 

6 Install Apache, MySQL, phpMyAdmin

We can install the needed packages with one single command:

yum -y install ntp httpd mod_ssl mariadb-server php php-mysql php-mbstring phpmyadmin

To ensure that the server can not be attacked trough the HTTPOXY vulnerability, we will disable the HTTP_PROXY header in apache globally. 

Add the apache header rule at the end of the httpd.conf file:

echo "RequestHeader unset Proxy early" >> /etc/httpd/conf/httpd.conf

And restart httpd to apply the configuration change.

service httpd restart 

Share this page:

28 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: MaxMan
Reply  

How to change php PHP 5.4.16 on PHP 5.6 without crashing system?

By: DarioL
Reply  

I use this procedure:

  # rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm  # yum install yum-plugin-replace  # yum replace php-common --replace-with=php56w-common  # service httpd restart

Take from here: https://webtatic.com/packages/php56/

Hope this help

Dario

By: MaxMan
Reply  

Or how to install PHP 5.6 as additional PHP-FPM & FastCGI?

And how to install PHP 7 as additional PHP-FPM & FastCGI?

Please halp who know the answer.

By: Purexer
Reply  

Thanks for the tuto. But it will be great if you add some notes (definition or what it do) on each tool

and a tuto of how to set your own dns on this server

By: carsten
Reply  

The port 587 is not opened in postfix - /etc/postfix/master.cf :

https://kupschke.net/2011/01/23/smtp-submission-mit-postfix/

 

That was trouble to search, why the hack thunderbird is not working.

By: akoelah
Reply  

systemctl start named.serviceJob for named.service failed because the control process exited with error code. See "systemctl status named.service" and "journalctl -xe" for details.

help me please...

 

By: Gabriel Lobo-Blanco
Reply  

All this information about the setup was great.  However, how do you install wordpress in such an environment?  Can you please shed some light?

 

All your time is appreciated.

 

Thanks.

By: till
Reply  

That's really easy, login to ispconfig and create a website, then use the APS installer in ISPConfig to install WordPress. Or upload WordPress to the web directory that ISPConfig created by FTP.

By: LT
Reply  

Love these guides, always 100% success on the first install attempt :)

By: BEF
Reply  

Great tuto 

By: Luvelnet
Reply  

Hi,

I had trouble enabling quota because the "grub.cfg" file on EFI servers is located elsewhere.

Solution:

1. For servers with EFI, the "grub.cfg" file is listed here: "/boot/efi/EFI/centos/grub.cfg".

2. Then, first run command "cp /boot/efi/EFI/centos/grub.cfg /boot/efi/EFI/centos/grub.cfg.orig".

2. Later, run command "grub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg".

Enjoy!

By: Nicholas
Reply  

Warning

If install quota

Don't use in rootflags=uquota,gquota or defaults,uquota,gquota

but -> quota,usrquota,grpquota

Quota don't start, end if change the grub lost your server :(

By: till
Reply  

Might depend on the base server setup. The server here works fine with the settings from the tutorial.

By: maportillo
Reply  

In filesystem xfs use command xfs_quota -x and then enable 

By: El informatico
Reply  

How to fix Illegal list name: [email protected]

nano /etc/mailman/mm_cfg.py

DEFAULT_EMAIL_HOST = 'localhost'

DEFAULT_URL_HOST = 'localhost'

to

DEFAULT_EMAIL_HOST = 'myhost.net'

DEFAULT_URL_HOST = 'myhost.net'

 

Then create newlist again

/usr/lib/mailman/bin/newlist mailman

By: Cedric
Reply  

hi,

Amavis don't want to restart after my domain and email are configured in ispconfig.

i am very novice, i don't understand why...

this is my log:

Jun 18 18:02:45 vps systemd: amavisd.service holdoff time over, scheduling restart. Jun 18 18:02:45 vps systemd: Starting Amavisd-new is an interface between MTA and content checkers.... Jun 18 18:02:45 vps amavisd: Error in config file "/etc/amavisd/amavisd.conf": Can't open PEM file /var/lib/amavis/dkim/mydomain.com.private: Permission non accordée at /usr/sbin/amavisd line 636. Jun 18 18:02:45 vps systemd: amavisd.service: control process exited, code=exited status=13 Jun 18 18:02:45 vps systemd: Failed to start Amavisd-new is an interface between MTA and content checkers.. Jun 18 18:02:45 vps systemd: Unit amavisd.service entered failed state. Jun 18 18:02:45 vps systemd: amavisd.service failed.

 

i would greatly appreciate any help.

By: till
Reply  

The generation of the Dkim key must have failed. Please ask in the forum for help to debug why it failed.

By: Nicholas
Reply  

I configured server on mymain domain example: domain.com in the panel no problem :D if i create a site with domain.com i have ssl error... how i solve this problem?

By: John
Reply  

My web interface has ssl but the certificate is self signed, how can I get a ssl cert from lets encrypt for the web interface?

By: BlueCollar
Reply  

 I had issues with the mod_python install. The sed onliner didn't work for me. Initializing git didn't work for me. This did and it competed without the fatal error.It was posted on another site on www.aboutmonitoring.com/2014/12/08/

tar zxfv mod_python-3.5.0.tg cd mod_python-3.5.0 ./configure -with-apxs=/usr/bin/apxs

Before “make” we will modify two files. There is more information at the end of the post in “References”.src/Makefile. Add the marked lines.

version.c: @MP_GIT_SHA=$$(git describe --always); \ echo > version.c ; \ echo "/* THIS FILE IS AUTO-GENERATED BY Makefile */" >> version.c ; \ echo "#include \"mp_version.h\"" >> version.c ; \ include/mod_python.h include/psp_flex.h include/psp_parser.h \ include/requestobject.h include/tableobject.h include/connobject.h \ include/finfoobject.h include/hlistobject.h include/mp_version.h \ include/_pspmodule.h include/psp_string.h include/serverobject.h \ include/util.h \ echo "const char * const mp_git_sha = \"$${MP_GIT_SHA}\";" >> version.c ; \

dist/version.sh. Coment / add the marked lines

#!/bin/sh MPV_PATH="`dirname $0`/../src/include/mp_version.h" MAJ=`awk '/MP_VERSION_MAJOR/ {print $3}' $MPV_PATH` MIN=`awk '/MP_VERSION_MINOR/ {print $3}' $MPV_PATH` PCH=`awk '/MP_VERSION_PATCH/ {print $3}' $MPV_PATH` #GIT=`git describe --always` #echo $MAJ.$MIN.$PCH-$GIT echo $MAJ.$MIN.$PCH-

By: Mark
Reply  

Thanks this was very insightful and helpful...

By: Stiff Roy
Reply  

PostFix problem:

I had sendmail. It was working well. I disabled it in order to use PostFix. But unfortunately, now I cannot send emails anymore from the server (the php forms, normal php as well as wordpress, of my server sends the email without any error but is never received in the mail box). How can I debug the issue? Please help.Thanks in advance,Stiff Roy

By: till
Reply  

Please post in the forum if you need help, email errors are in the /var/log/maillog. Btw, ISPConfig does not even support sendmail. I really wonder how you were using ISPConfig with sendmail.

By: SCALEXO
Reply  

You forgot to write to uncomment #CertFile at pure-ftpd.conf

By: Marvin
Reply  

Thanks Till for this Tutorial! I recently tried to reconstruct the setup on CentOS 7.4 . Went so far so good... Until the moment where it comes to the first Login in ISPConfig 3.1 .

The login with "admin/admin" redirects directly back to the loginpage, no error message provided. However, there is one if the username / password is actual wrong.Not sure what can cause that, most likely a change in the OS or any of the programs messed something up. However, without error message i am kinda stuck and first research was not successful.

By: Pat
Reply  

Did you ever find a resolution. I am experiencing same issue after fresh install?

By: Bladez
Reply  

If mailman does not start run command

 /usr/lib/mailman/bin/newlist mailman  https://www.howtoforge.com/community/threads/error-when-installing-mailman-perfect-server-setup-centos-7.67730/

 

By: little correction
Reply  

the line

 

Now we will install RoundCube in the browser at http://192.168.1.100/roundcubemail/installer

 

must be

Now we will install RoundCube in the browser at http://192.168.1.100/webmail/installer

 

is a little obvious but took a couple of minutes to find it