There is a new version of this tutorial available for CentOS 7.6.

The Perfect Server CentOS 7.4 with Apache, Postfix, Dovecot, Pure-FTPD, BIND and ISPConfig 3.1

This tutorial shows the installation of ISPConfig 3.1 on a CentOS 7.4 (64Bit) server. ISPConfig is a web hosting control panel that allows you to configure the following services through a web browser: Apache web server, Postfix mail server, MySQL, BIND nameserver, PureFTPd, SpamAssassin, ClamAV, Mailman, and many more.

1 Requirements

To install such a system you will need the following:

  • A Centos 7.4 minimal server system. This can be a server installed from scratch as described in our Centos 7 minimal server tutorial or a virtual-server or root-server from a hosting company that has a minimal Centos 7.4 setup installed.
  • A fast Internet connection.

 

2 Preliminary Note

In this tutorial, I use the hostname server1.example.com with the IP address 192.168.0.100 and the gateway 192.168.0.1. These settings might differ for you, so you have to replace them where appropriate.

Please note that HHVM and XMPP are not supported in ISPConfig for the CentOS platform yet. If you like to manage an XMPP chat server from within ISPConfig or use HHVM (Hip Hop Virtual Machine) in an ISPConfig website, then please use Debian or Ubuntu 16.04 as server OS instead of CentOS 7.4.

3 Prepare the server

Set the keyboard layout

In case that the keyboard layout of the server does not match your keyboard, you can switch to the right keyboard (in my case "de" for a German keyboard layout, with the localectl command:

localectl set-keymap de

To get a list of all available keymaps, run:

localectl list-keymaps

I want to install ISPConfig at the end of this tutorial, ISPConfig ships with the Bastille firewall script that I will use as firewall, therefor I disable the default CentOS firewall now. Of course, you are free to leave the CentOS firewall on and configure it to your needs (but then you shouldn't use any other firewall later on as it will most probably interfere with the CentOS firewall).

Run...

yum -y install net-tools
systemctl stop firewalld.service
systemctl disable firewalld.service

to stop and disable the CentOS firewall. It is ok when you get errors here, this just indicates that the firewall was not installed.

Then you should check that the firewall has really been disabled. To do so, run the command:

iptables -L

The output should look like this:

[[email protected] ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Or use the firewall-cmd command:

firewall-cmd --state
[[email protected] ~]# firewall-cmd --state
not running
[[email protected] ~]#

Now I will install the network configuration editor and the shell based editor "nano" that I will use in the next steps to edit the config files:

yum -y install nano wget NetworkManager-tui

If you did not configure your network card during the installation, you can do that now. Run...

nmtui

... and go to Edit a connection:

Select your network interface:

Then fill in your network details - disable DHCP and fill in a static IP address, a netmask, your gateway, and one or two nameservers, then hit Ok:

Next select OK to confirm the changes that you made in the network settings

and Quit to close the nmtui network configuration tool.

You should run

ifconfig

now to check if the installer got your IP address right:

[[email protected] ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.100 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::20c:29ff:fe1a:3d8e prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:1a:3d:8e txqueuelen 1000 (Ethernet)
RX packets 184972 bytes 256696909 (244.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 62983 bytes 7236189 (6.9 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

[[email protected] ~]#

If your network card does not show up there, then it not be enabled on boot, In this case, open the file /etc/sysconfig/network-scripts/ifcfg-eth0

nano /etc/sysconfig/network-scripts/ifcfg-ens33

and set ONBOOT to yes:

[...]
ONBOOT=yes
[...]

and reboot the server.

Check your /etc/resolv.conf if it lists all nameservers that you've previously configured:

cat /etc/resolv.conf

If nameservers are missing, run

nmtui

and add the missing nameservers again.

Now, on to the configuration...

 

Adjusting /etc/hosts and /etc/hostname

Next, we will edit /etc/hosts. Make it look like this:

nano /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
192.168.1.100 server1.example.com server1

::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

Set the hostname in the /etc/hostname file. The file shall contain the fully qualified domain name (e.g. server1.example.com in my case) and not just the short name like "server1". Open the file with the nano editor:

nano /etc/hostname

And set the hostname in the file.

server1.example.com

Save the file and exit nano.

Disable SELinux

SELinux is a security extension of CentOS that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only SELinux was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).

Edit /etc/selinux/config and set SELINUX=disabled:

nano /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Afterwards we must reboot the system:

reboot

 

4 Enable Additional Repositories and Install Some Software

First, we import the GPG keys for software packages:

rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*

Then we enable the EPEL repository on our CentOS system as lots of the packages that we are going to install in the course of this tutorial are not available in the official CentOS 7 repository:

yum -y install epel-release
yum -y install yum-priorities

Edit /etc/yum.repos.d/epel.repo...

nano /etc/yum.repos.d/epel.repo

... and add the line priority=10 to the [epel] section:

[epel]
name=Extra Packages for Enterprise Linux 7 - $basearch
#baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch
mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch
failovermethod=priority
enabled=1
priority=10
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
[...]

Then we update our existing packages on the system:

yum -y update

Now we install some software packages that are needed later on:

yum -y groupinstall 'Development Tools'

 

5 Quota

(If you have chosen a different partitioning scheme than I did, you must adjust this chapter so that quota applies to the partitions where you need it.)

To install quota, we run this command:

yum -y install quota

Now we check if quota is already enabled for the filesystem where the website (/var/www) and maildir data (var/vmail) is stored. In this example setup, I have one big root partition, so I search for ' / ':

mount | grep ' / '
[[email protected] ~]# mount | grep ' / '
/dev/mapper/centos-root on / type xfs (rw,relatime,attr2,inode64,noquota)
[[email protected] ~]#

If you have a separate /var partition, then use:

mount | grep ' /var '

instead. If the line contains the word "noquota", then proceed with the following steps to enable quota.

Enabling quota on the / (root) partition

Normally you would enable quota in the /etc/fstab file, but if the filesystem is the root filesystem "/", then quota has to be enabled by a boot parameter of the Linux Kernel.

Edit the grub configuration file:

nano /etc/default/grub

search fole the line that starts with GRUB_CMDLINE_LINUX and add rootflags=uquota,gquota to the commandline parameters so that the resulting line looks like this:

GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet rootflags=uquota,gquota"

and apply the changes by running the following command.

cp /boot/grub2/grub.cfg /boot/grub2/grub.cfg_bak
grub2-mkconfig -o /boot/grub2/grub.cfg

and reboot the server.

reboot

Now check if quota is enabled:

mount | grep ' / '
[[email protected] ~]# mount | grep ' / '
/dev/mapper/centos-root on / type xfs (rw,relatime,attr2,inode64,usrquota,grpquota)
[[email protected] ~]#

When quota is active, we can see "usrquota,grpquota" in the mount option list.

 

Enabling quota on a separate /var partition

If you have a separate /var partition, then edit /etc/fstab and add ,uquota,gquota to the / partition (/dev/mapper/centos-var):

nano /etc/fstab

#
# /etc/fstab
# Created by anaconda on Sun Sep 21 16:33:45 2014
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/centos-root / xfs defaults 1 1
/dev/mapper/centos-var /var xfs defaults,uquota,gquota 1 2
UUID=9ac06939-7e43-4efd-957a-486775edd7b4 /boot xfs defaults 1 3
/dev/mapper/centos-swap swap swap defaults 0 0

Then run

mount -o remount /var
quotacheck -avugm
quotaon -avug

to enable quota. When you get an error that there is no partition with quota enabled, then reboot the server before you proceed.

 

6 Install Apache, MySQL, phpMyAdmin

We can install the needed packages with one single command:

yum -y install ntp httpd mod_ssl mariadb-server php php-mysql php-mbstring phpmyadmin

To ensure that the server can not be attacked trough the HTTPOXY vulnerability, we will disable the HTTP_PROXY header in apache globally. 

Add the apache header rule at the end of the httpd.conf file:

echo "RequestHeader unset Proxy early" >> /etc/httpd/conf/httpd.conf

And restart httpd to apply the configuration change.

service httpd restart 

Share this page:

Suggested articles

28 Comment(s)

Add comment

Comments

By: Ayoub BEN

Thank you

By: Diogo

No XMPP?

By: Docky

when I tried to open this page: http://192.168.0.100/roundcubemail/installer

I got an error saying:

Roundcube Webmail Installer    Check environment    Create config    Test configChecking PHP versionVersion:  NOT OK(PHP5 is required, 7.1.13 detected)

I thought we installed php 7 in this installation, so why it's not ok for roundcube?

By: till

This tutorial installs PHP 5 and not PHP 7. Roundcube and also ISPConfig require it that you do not install a dfferent PHP version than the one that shps with the OS. Downgrade your PHP to the original PHP version 5.6 and then continue with the installation of Roundcube and ISPConfig. You can use newer PHP versions like PHP 7 in ISPConfig as additional PHP version, but don't change the main PHP version.

By: Docky

Hi again, I doubled checked and I see that php 5 was installed during this installation but I have installed php7 and I want to work with that. is there a fix for roundcube to work with php7?

thank you

By: Alex

Thanks for this.I would like to share something for those like me using EFI :cp /boot/efi/EFI/centos/grub.cfg /boot/efi/EFI/centos/grub.cfg_bakgrub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg

Enjoy.

By: siomosp

Hello,

there is a tutorial for installing nginx instead of apache?

By: Herman Baumgarten

epel-release package is not available

By: till

The epel-release package exists on every standard CentOS system, there must be something wrong with your base installation if you don't have that package.

By: Steve

I followed this all the way to the end but couldn't login. Found the password was not admin but was my mysql root password

By: emir bu?ra köksalan

If you getting apache test page after ispconfig installed you must install "yum install mod_fcgid" and restart httpd service. After this time you can login ispconfig. I think this document must be updated for this issue. Thanks.

By: till

The tutorial instructs you already to install mod_fcgid, so there is nothing missing in the guide. See chapter "

12 Installing Apache with mod_php, mod_fcgi/PHP, PHP-FPM" on page 2. Follow the tutorial closely and do not leave any commands out to ensure to get a working system.

By: Dr. Martinus

Hi,

I followed this tutorial diligently and I am impressed, almost everything works. However: roundcubemail doesn't. I get the error:

DATABASE ERROR: CONNECTION FAILED! Unable to connect to the database!Please contact your server-administrator.   I always get stuck at the installation step 3. I found some tips, but I have trouble finding the appropriate files. Besides, I saw that in mysql the user is set, but the password is not encrypted as seems to be the case with the other users who are in the database. Is this intended? I need to get finished with the server setup. I can't run the installer any more, because it has been disabled (not by me, as I couldn't finish the installation). There it says I shall reset it "RCUBE_CONFIG_DIR/config.inc.php", but what is the "RCUBE_CONFIG_DIR"?   Thanks for any help.  

By: Medomx

you should verify in the config file your database name - in the config installer is roundcubedb and in the tutorial is roundcubeemail. if you change is working. Have a nice day!

By: fatbear

TLS related questions:

1. I prefer to use TLS certificates from traditional providers that can provide Extended Validation for my larger customers. Will NOT installing Let's Encrypt cause problems? Can Let's Encrypt be selectively enabled or disabled for individual clients if it is installed so that smaller clients can take advantage of free TLS certificates, but larger clients can avoid the pitfalls associated with domain-validated certificates?

2. I use front-end TLS via the Pound load balancer and reverse proxy or the F5 Big-IP platform. How do you recommend configuring ISPConfig in this case during installation?

By: scott hassler

has anyone been able to get the

ispconfig3_roundcube

 

plugins to work after this setup?

By: Tsi

Nice tutorial!  Perhaps for future centos may you include PHP 7.x instead of the older version running ISPConfig.  thanks!

By: munkh

Hello,

First of all thanks for these helpful installation guides mate. I really appreciate it. There is 1 problem i am facing just following your guide, i cannot login. when i enter admin/admin nothing happens, but when i try different password it says wrong password. But if i do the correct password admin/admin it doesn't move to next page, just stay still like wrong credentials entered.

Could you please help me with this ?

By: till

The password is not 'admin' by default anymore, it is a random string that the installer showed you on the shell. If you did not noted the password down, then you can reset the admin password like this: https://www.faqforge.com/linux/controlpanels/ispconfig3/how-to-reset-the-administrator-password-in-ispconfig-3/

By: Anthony

I set the admin password when doing install.php. At the login screen i entered that password along with the username admin and it never logs me in. How can I reset this?

By: till

See here on how to set a new admin password: https://www.faqforge.com/linux/controlpanels/ispconfig3/how-to-reset-the-administrator-password-in-ispconfig-3/

By: anthony

I am getting a successful login in cron log but it returns no control panel. Additionally I am seeing this

 

PHP Warning:  mysqli_real_connect() expects parameter 1 to be mysqli, null given in /usr/local/ispconfig/server/lib/classes/db_mysql.inc.php on line 275

How can this be resolved?

By: Lighthouse

How to know the nameservers are missing

+ My server id address is 68.183.235.72

i'm using nameservers of digitalocean.com

ns1.digitalocean.com 173.245.58.51

ns2.digitalocean.com 173.245.59.41

ns3.digitalocean.com 198.41.222.173

But when i check

cat /etc/resolv.conf

; Created by cloud-init on instance boot automatically, do not edit.;nameserver 67.207.67.3nameserver 67.207.67.2search localdomain

 

So i see nameservers of this file not the same nameservers ip of digitalocean. So this is problem? how can i solve this problem?

By: Klaus

If you will use this server setup to reay mails through you need this extra package

 

yum install cyrus-sasl-plain

By: Karsten Schlimme

No SSL for RoundCube? :/

By: till

That's not quite correct. Roundcube is a global Alias in Apache, so when you enable SSL for a website in ISPConfig, then RoundCube has SSL as well automatically when you access it through that site. At server install time, you don't have SSL enabled sites yet, that's why you access it by HTTP then until the server is fully installed.

By: ian

Hi Tim,  Thanks for this perfect server tutorial.  Now have one up and running.  can you help point me how to go around some ISP's blocking port 25?  sending from home doesn't work as well as on mobile devices.

By: Philip

The URL for the Roundcube installer should be 'webmail' and not 'roundcubemail' as the alias was changed in the previous step...

--> "Now we will install RoundCube in the browser at http://192.168.0.100/roundcubemail/installer"