Virtual Hosting Howto With Virtualmin On CentOS 5.1 - Page 4

Dovecot Setup


This will setup dovecot as our IMAP/POP3 server.


Basic Configuration

We will setup dovecot for IMAP and POP3 and disable SSL.

protocols = imap pop3
listen = *
ssl_listen = *
ssl_disable = yes



We will use the maildir format as opposed to the default mbox format.

mail_location = maildir:~/Maildir


Authentication & SASL

Configure dovecot to use LOGIN and PLAIN as the authentication mechanisims as many MS clients are unable to use encrypted authentication mechanisms. We also setup the SASL socket to enable postfix to authenticate SMTP connections using dovecot.

auth default {
  mechanisms = plain login
  passdb pam {
  userdb passwd {
  socket listen {
    client {
        path = /var/spool/postfix/private/auth
        mode = 0660
        user = postfix
        group = postfix


Client Issues

Some MS imap clients in the outlook family have issues with both thier IMAP and POP3 implementations so we need to accommodate them by setting up these work arounds:

protocol imap {
 imap_client_workarounds = outlook-idle delay-newmail
protocol pop3 {
 pop3_client_workarounds = outlook-no-nuls oe-ns-eoh


Run IMAP Behind Proxy

The imap server is configured to run on port 10143 such that port 143 is handled by the imap proxy server that will improve performance for your webmail by caching connections to the imap server. The listen option under protocol sets this up.

protocol imap {
 imap_client_workarounds = outlook-idle delay-newmail
 listen =


Sample files


Setup Imap Proxy


imapproxy was written to compensate for webmail clients that are unable to maintain persistent connections to an IMAP server. Most webmail clients need to log in to an IMAP server for nearly every single transaction. This behaviour can cause tragic performance problems on the IMAP server. imapproxy tries to deal with this problem by leaving server connections open for a short time after a webmail client logs out. When the webmail client connects again, imapproxy will determine if there's a cached connection available and reuse it if possible. - according to the imapproxy website.



Make the following changes in the file /etc/imapproxy.conf:

cache_size 3072
listen_port 143
server_port 10143
cache_expiration_time 900
proc_username nobody
proc_groupname nobody
stat_filename /var/run/pimpstats
protocol_log_filename /var/log/imapproxy_protocol.log
syslog_facility LOG_MAIL
send_tcp_keepalives no
enable_select_cache yes
foreground_mode no
force_tls no
enable_admin_commands no


Sample Files


Bind Setup


Bind will be set up chrooted to improve security we will also use views to prevent abuse of the dns server.


Basic Configuration

The basic configuration disables by default, recursive queries and zone transfers. We also obscure the version of BIND we are running such that we are not hit by zero day vulnerabilities from script kiddies.

options {
        directory "/var/named";
        pid-file "/var/run/named/";
        listen-on {
        version "just guess";
        allow-recursion { "localhost"; };
        allow-transfer { "none"; };



The logging is customized to remove the annoying "lame-server" and update errors that appear in the logs:

logging {
        category update { null; };
        category update-security { null;        };
        category lame-servers{ null; };



Ensure that this is set in the file /etc/sysconfig/named (it's usually set by the bind-chroot package):



Point Server

Let the machine use this server for dns resolution edit /etc/resolv.conf and prepend:



Sample files


Vsftpd Setup


We will use vsftpd as our ftp server. This has a better track record as opposed to the proftpd & wuftpd servers.


Basic Setting

Our basic setup disables anonymous users, and enables local system users to connect to the ftp server.

ftpd_banner=Welcome to server



All users will be chrooted to their home directories (except usernames in the /etc/vsftpd/chroot_list file) meaning the cannot break out and see other users files.



Banned Users

Users added to the file /etc/vsftpd/user_list will not be allowed to login:



Sample Files

Share this page:

17 Comment(s)

Add comment


From: Anonymous at: 2008-10-21 17:17:16

Kudo's to Andrew and his howto for virtualmin.  I have utilized this in the past to install virtualmin and it works well.  However, since the latest version of virtualmin, there really isn't any need anymore.  Download the script from there site and it will download every needed package and configure them for virtualmin.  Just a little heads up. 

From: Anonymous at: 2009-02-20 07:35:08

I tired the installation script on Fresh CentOS 5.2 , the installation went well and the sctipt logs shows successful but it dont allow you to log in to the virtualmin. I think its only for liecenced users.

From: Anonymous at: 2009-02-21 10:02:13

The installation script work perfectly on a clean CentOS 5 or 5.2. Make sure you have clean copy of Cent OS , rest the script do everything. I have tested it by myself today and now its working perfectly.

** Its awesome, replaced this whole tutorial with one command and FREE Official Virtualmin script available at Enjoy **

From: at: 2008-03-25 05:19:39

Great tutorial, a real real real time saver!

On the RPMForge setup, point people to

Especially if they are using x86_64 or a different distro.


From: at: 2009-03-26 19:12:15

I would take things one step further and follow the directions here:

By using the priorities plugin for yum, you will not need to disable the rpmforge repo (i.e. the 'enable=0' step above) and then constantly use '--enablerepo=rpmforge' when installing packages from rpmforge.  Furthermore, you can just do one 'yum update' to update everything from the base and the rpmforge repositories...just make sure to make the rpmforge lower priority than base!



From: at: 2008-03-25 05:23:07

/etc/yum.repos.d for me

From: Anonymous at: 2011-04-01 02:33:32

rpm -Uvh

is no long working any alternatives?


Thanks Kyle.

From: at: 2008-03-26 08:00:58

It's really a very good tutorial, it just might need some tuning ... anyway I suggest those modifications to for better performance ... this is a modified copy of with modifications applied .. Modification are mainly to allow non-tls smtp authentication and to stop buggy slow recipient address verification and use "reject_unlisted_recipient" instead ..

command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
#mydomain =
#myorigin = $mydomain
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
mynetworks =
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
virtual_alias_maps = hash:/etc/postfix/virtual
canonical_maps = hash:/etc/postfix/canonical
sender_canonical_maps = hash:/etc/postfix/canonical
recipient_canonical_maps = hash:/etc/postfix/canonical
#address_verify_map = btree:/var/spool/postfix/verify
smtpd_sender_restrictions = hash:/etc/postfix/sender_access
mail_spool_directory = /var/spool/mail
home_mailbox = Maildir/
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/pki/postfix/smtpd.key
smtpd_tls_cert_file = /etc/pki/postfix/smtpd.crt
smtpd_tls_CAfile = /etc/pki/postfix/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
smtp_use_tls = yes
smtp_tls_key_file = /etc/pki/postfix/smtpd.key
smtp_tls_cert_file = /etc/pki/postfix/smtpd.crt
smtp_tls_CAfile = /etc/pki/postfix/cacert.pem
smtp_tls_session_cache_database = btree:/var/spool/postfix/smtp_tls_cache
smtp_tls_note_starttls_offer = yes
smtpd_tls_auth_only = no
tls_random_source = dev:/dev/urandom
smtpd_sasl_auth_enable = yes
debug_peer_level = 2
debugger_command =
         xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.3.3/samples
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
smtpd_banner = tds mail cluster
smtpd_helo_required = yes
disable_vrfy_command = yes
show_user_unknown_table_name = no
policy_time_limit = 3600
smtpd_milters = unix:/var/clamav/clmilter.socket unix:/var/run/spamass.sock
non_smtpd_milters = unix:/var/clamav/clmilter.socket unix:/var/run/spamass.sock
smtpd_error_sleep_time = 5s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_recipient_restrictions =
        check_recipient_access hash:/etc/postfix/access
        check_policy_service unix:private/spfpolicy 

From: at: 2008-03-26 10:59:22

reject_unlisted_recipient seems like a good idea i will update the sample config Actually i have smtp auth over tls only on purpose due to the fact that LOGIN and PLAIN authentication methods which are used by M$ clients are not secure and can lead to the user details being captured by anyone who is eaves dropping on the traffic, but i guess getting users to setup TLS on the client side is a pain at times.

From: at: 2008-07-28 12:12:52

You've done a great job here.  I ran across some errors, but worked through each so far.  

I need some clarification on one point, though:

You appear to be configuring postfix to use secure authentication.  As the hosting provider, my domain may be, but my clients will all have their own domains which will use mail under each.

So, as I follow your tutorial, should I be using my own host name (i/e in place of, when creating server certificates, and/or generating keys for DKIM?

Will I have to manually configure each client this way?

Please excuse my ignorance, but this is all very new to me.





From: at: 2008-07-30 08:19:28

1. Yes for outbound mail they will have to use your domain name as the smtp server hostname as the certificate will hold your name, for receiving however they can use their own domain name for the imap/pop3 server hostname.

2. As for DKIM you can have multiple keys so you can sign mail for all your customers domains.

From: at: 2009-04-10 20:29:17

It seems that in Centos 5.3, the clamav-milter daemon periodically reloads and loses the group permission that the clamav-milter.patch sets up.  In other words, it's reverts back to the clamav group which causes a permission problem with Postfix.  The easiest fix is to make the postfix user a member of the clamav group.

From: Acorp Computers at: 2008-09-19 02:45:25

In case it helps anyone else, my "Spamassassin Basic Config" was located in:



From: Pawel at: 2009-02-08 14:43:36

/etc/httpd/conf.d/ssl.conf in CentOS 5.2

 Great tutorial!

From: at: 2008-11-01 15:35:33

the vsftp has some mistake ,the virtualmin can't write the new user to the choort_list_user ?just keep the chroot_local=yes.

From: ??? at: 2008-11-05 09:02:03

what about the suexec home? now i have a web ,and the upload file such as picture .it's groups is apache not the site user.

and i run suexec -V the home is /var/www/   it's the problem?

From: Tanczos Andras at: 2009-02-15 21:34:52

rcpt to: instead of rcpt: at postfix tests