Professional Documents
Culture Documents
2 [ISPConfig 3]
The Perfect Server - CentOS 5.2 [ISPConfig 3]
Version 1.0 Author: Falko Timme <ft [at] falkotimme [dot] com> Last edited 03/05/2009 This tutorial shows how to prepare a CentOS 5.2 server for the installation of ISPConfig 3, and how to install ISPConfig 3. ISPConfig 3 is a webhosting control panel that allows you to configure the following services through a web browser: Apache web server, Postfix mail server, MySQL, MyDNS nameserver, PureFTPd, SpamAssassin, ClamAV, and many more.
Please note that this setup does not work for ISPConfig 2! It is valid for ISPConfig 3 only!
I do not issue any guarantee that this will work for you!
1 Requirements
To install such a system you will need the following: Download the CentOS 5.2 DVD or the six CentOS 5.2 CDs from a mirror next to you (the list of mirrors can be found here: http://isoredirect.centos.org/centos/5/isos/i386/). a fast Internet connection.
2 Preliminary Note
In this tutorial I use the hostname server1.example.com with the IP address 192.168.0.100 and the gateway 192.168.0.1 . These settings might differ for you, so you have to replace them where appropriate.
It can take a long time to test the installation media so we skip this test here:
I'm installing CentOS 5.2 on a fresh system, so I answer Yes to the question Would you
like to initialize this drive, erasing ALL DATA?
Now we must select a partitioning scheme for our installation. For simplicity's sake I select Remove linux partitions on selected drives and create default layout. This will result in a small /boot and a large / partition as well as a swap partition. Of course, you're free to partition your hard drive however you like it. Then I hit Next :
Answer the following question ( Are you sure you want to do this? ) with Yes :
On to the network settings. The default setting here is to configure the network interfaces with DHCP , but we are installing a server, so static IP addresses are not a bad idea... Click on the Edit button at the top right.
In the window that pops up uncheck Use dynamic IP configuration (DHCP) and Enable IPv6 support and give your network card a static IP address (in this tutorial I'm using the IP address 192.168.0.100 for demonstration purposes) and a suitable netmask (e.g. 255.255.255.0 ; if you are not sure about the right values, http://www.subnetmask.info might help you):
Set the hostname manually, e.g. server1.example.com , and enter a gateway (e.g. 192.168.0.1 ) and up to two DNS servers (e.g. 213.191.92.86 and 145.253.2.75 ):
Now we must select the package groups we want to install. Select Editors , Textbased Internet , Development Libraries , Development Tools , DNS Name Server , FTP Server , Mail Server , MySQL Database , Server Configuration Tools , Web
Server , Administration Tools , Base, and System Tools (unselect all other package groups) and click on Next :
Finally, the installation is complete, and you can remove your CD or DVD from the computer and reboot it:
After the reboot, you will see this screen. Select Firewall configuration and hit Run Tool :
I want to install ISPConfig at the end of this tutorial which comes with its own firewall. That's why I disable the default CentOS firewall now. Of course, you are free to leave it on and configure it to your needs (but then you shouldn't use any other firewall later on as it will most probably interfere with the CentOS firewall). SELinux is a security extension of CentOS that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only SELinux was causing the problem). Therefore I disable it, too (this is a must if you want to install ISPConfig later on). Hit OK afterwards:
Then log in as root and reboot the system so that your changes can be applied:
reboot
Now, on to the configuration... Copyright 2009 Falko Timme All Rights Reserved.
# Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost 192.168.0.100 server1.example.com server1 ::1 localhost6.localdomain6 localhost6
Now we want to use the IP address 192.168.0.101 on the virtual interface eth0:0 . Therefore we open the file /etc/sysconfig/network-scripts/ifcfg-eth0:0 and modify it as follows (we can leave out the HWADDR line as it is the same physical network card):
vi /etc/sysconfig/network-scripts/ifcfg-eth0:0
# Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE] DEVICE=eth0:0 BOOTPROTO=static BROADCAST=192.168.0.255 IPADDR=192.168.0.101 NETMASK=255.255.255.0 NETWORK=192.168.0.0 ONBOOT=yes
You might also want to adjust /etc/hosts after you have added new IP addresses, although this is not necessary. Now run
ifconfig
lo
[root@server1 ~]#
I want to install ISPConfig at the end of this tutorial which comes with its own
firewall. That's why I disable the default CentOS firewall now. Of course, you are free to leave it on and configure it to your needs (but then you shouldn't use any other firewall later on as it will most probably interfere with the CentOS firewall). SELinux is a security extension of CentOS that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only SELinux was causing the problem). Therefore I disable it, too (this is a must if you want to install ISPConfig later on). Run
system-config-securitylevel
Now we install some software packages that are needed later on:
yum groupinstall 'Development Tools'
8 Quota
(If you have chosen a different partitioning scheme than I did, you must adjust this chapter so that quota applies to the partitions where you need it.)
/dev/VolGroup00/LogVol00 / LABEL=/boot /boot tmpfs /dev/shm devpts /dev/pts sysfs /sys proc /proc /dev/VolGroup00/LogVol01 swap
1 1
Then run
touch /aquota.user /aquota.group chmod 600 /aquota.* mount -o remount / quotacheck -avugm quotaon -avug
to enable quota.
(If the above link doesn't work anymore, you can find the current version of rpmforge-release here: http://dag.wieers.com/rpm/packages/rpmforgerelease/) Afterwards we can install the needed packages with one single command (including the packages we need to build Courier-IMAP):
yum install ntp httpd mysql-server php php-mysql php-mbstring php-
yum install ntp httpd mysql-server php php-mysql php-mbstring phpmcrypt phpmyadmin rpm-build gcc mysql-devel openssl-devel cyrussasl-devel pkgconfig zlib-devel pcre-devel openldap-devel postgresql-devel expect libtool-ltdl-devel openldap-servers libtool gdbm-devel pam-devel gamin-devel
We will need the sudo command later on so that the user compileuser can compile and install the rpm packages. But first, we must allow compileuser to run all commands using sudo : Run
visudo
In the file that opens there's a line root ALL=(ALL) ALL . Add a similar line for compileuser just below that line:
[...] root ALL=(ALL) ALL compileuser ALL=(ALL) [...]
ALL
Now we are ready to build our rpm package. First become the user compileuser :
su compileuser
After the build process, the rpm packages can be found in $HOME/rpm/RPMS/i386 ( $HOME/rpm/RPMS/x86_64 if you are on an x86_64 system):
cd $HOME/rpm/RPMS/i386
The command
ls -l
26 03:00 courier-authlib-0.62.126 03:00 courier-authlib-debuginfo26 03:00 courier-authlib-devel-0.62.126 03:00 courier-authlib-ldap-0.62.126 03:00 courier-authlib-mysql-0.62.126 03:00 courier-authlib-pgsql-0.62.126 03:00 courier-authlib-pipe-0.62.126 03:00 courier-authlib-userdb-
Select the ones you want to install, and install them like this:
sudo rpm -ivh courier-authlib-0.62.1-1.i386.rpm courier-authlibmysql-0.62.1-1.i386.rpm courier-authlib-devel-0.62.1-1.i386.rpm
Now we go back to the /tmp directory and run rpmbuild again, this time without sudo , otherwise the compilation will fail because it was run as root:
cd /tmp rpmbuild -ta courier-imap-4.4.1.tar.bz2
After the build process, the rpm packages can be found in $HOME/rpm/RPMS/i386 ( $HOME/rpm/RPMS/x86_64 if you are on an x86_64 system):
cd $HOME/rpm/RPMS/i386
The command
ls -l
140978 Feb 26 03:00 courier309196 Feb 26 03:00 courier34672 Feb 26 03:00 courier17855 Feb 26 03:00 courier14048 Feb 26 03:00 courier13214 Feb 26 03:00 courier8175 Feb 26 03:00 courier35927 Feb 26 03:00 courier395137 Feb 26 03:13 courier-imap906775 Feb 26 03:13 courier-imap-
Now we go back to the /tmp directory and run rpmbuild again, this time to build a maildrop package:
cd /tmp sudo rpmbuild -ta maildrop-2.0.4.tar.bz2
After the build process, the rpm packages can be found in $HOME/rpm/RPMS/i386 ( $HOME/rpm/RPMS/x86_64 if you are on an x86_64 system):
cd $HOME/rpm/RPMS/i386
The command
ls -l
140978 Feb 26 03:00 courier309196 Feb 26 03:00 courier34672 Feb 26 03:00 courier-
authlib-devel-0.62.1-1.i386.rpm -rw-r--r-- 1 root root authlib-ldap-0.62.1-1.i386.rpm -rw-r--r-- 1 root root authlib-mysql-0.62.1-1.i386.rpm -rw-r--r-- 1 root root authlib-pgsql-0.62.1-1.i386.rpm -rw-r--r-- 1 root root authlib-pipe-0.62.1-1.i386.rpm -rw-r--r-- 1 root root authlib-userdb-0.62.1-1.i386.rpm -rw-rw-r-- 1 compileuser compileuser 4.4.1-1.i386.rpm -rw-rw-r-- 1 compileuser compileuser debuginfo-4.4.1-1.i386.rpm -rw-r--r-- 1 root root 1.i386.rpm -rw-r--r-- 1 root root debuginfo-2.0.4-1.i386.rpm -rw-r--r-- 1 root root 2.0.4-1.i386.rpm -rw-r--r-- 1 root root 2.0.4-1.i386.rpm [compileuser@server1 i386]$
17855 Feb 26 03:00 courier14048 Feb 26 03:00 courier13214 Feb 26 03:00 courier8175 Feb 26 03:00 courier35927 Feb 26 03:00 courier395137 Feb 26 03:13 courier-imap906775 Feb 26 03:13 courier-imap303104 Feb 26 03:25 maildrop-2.0.4739326 Feb 26 03:25 maildrop134387 Feb 26 03:25 maildrop-devel58837 Feb 26 03:25 maildrop-man-
After you have compiled and installed all needed packages, you can become root again by typing
exit
The last command will show some warnings that you can ignore:
warning: user mockbuild does not exist - using root warning: group mockbuild does not exist - using root cd /usr/src/redhat/SOURCES wget http://vda.sourceforge.net/VDA/postfix-2.3.3-vda.patch.gz gunzip postfix-2.3.3-vda.patch.gz cd /usr/src/redhat/SPECS/
Change %define MYSQL 0 to %define MYSQL 1 , add Patch0: postfix-2.3.3vda.patch to the # Patches stanza, and finally add %patch0 -p1 -b .vda to the
%setup -q stanza: [...] %define MYSQL 1 [...] # Patches Patch0: postfix-2.3.3-vda.patch Patch1: postfix-2.1.1-config.patch Patch3: postfix-alternatives.patch Patch6: postfix-2.1.1-obsolete.patch Patch7: postfix-2.1.5-aliases.patch Patch8: postfix-large-fs.patch Patch9: postfix-2.2.5-cyrus.patch [...] %setup -q # Apply obligatory patches %patch0 -p1 -b .vda %patch1 -p1 -b .config %patch3 -p1 -b .alternatives %patch6 -p1 -b .obsolete %patch7 -p1 -b .aliases %patch8 -p1 -b .large-fs %patch9 -p1 -b .cyrus [...]
Then we build our new Postfix rpm package with quota and MySQL support:
rpmbuild -ba postfix.spec
Our Postfix rpm package is created in /usr/src/redhat/RPMS/i386 ( /usr/src/redhat/RPMS/x86_64 if you are on an x86_64 system), so we go there:
cd /usr/src/redhat/RPMS/i386
The command
ls -l
Then turn off Sendmail and start Postfix, saslauthd, and courier-authlib:
chkconfig --levels 235 courier-authlib on /etc/init.d/courier-authlib start
chkconfig --levels 235 postfix on chkconfig --levels 235 saslauthd on /etc/init.d/sendmail stop /etc/init.d/postfix start /etc/init.d/saslauthd start
12 Configure Courier
Now we create the system startup links for courier-imap :
chkconfig --levels 235 courier-imap on /etc/init.d/courier-authlib restart /etc/init.d/courier-imap restart
When courier-imap is started for the first time, it automatically creates the certificate files /usr/lib/courier-imap/share/imapd.pem and /usr/lib/courierimap/share/pop3d.pem from the /usr/lib/courier-imap/etc/imapd.cnf and /usr/lib/courier-imap/etc/pop3d.cnf files. Because the .cnf files contain the line CN=localhost , but our server is named server1.example.com , the certificates might cause problems when you use TLS connections. To solve this, we delete both certificates...
cd /usr/lib/courier-imap/share/ rm -f imapd.pem rm -f pop3d.pem
... and replace the CN=localhost lines in /usr/lib/courier-imap/etc/imapd.cnf and /usr/lib/courier-imap/etc/pop3d.cnf with CN=server1.example.com :
vi /usr/lib/courier-imap/etc/imapd.cnf
vi /usr/lib/courier-imap/etc/pop3d.cnf
13 Install Getmail
Now we configure phpMyAdmin. We change the Apache configuration so that phpMyAdmin allows connections not just from localhost (by commenting out the <Directory "/usr/share/phpmyadmin"> stanza):
vi /etc/httpd/conf.d/phpmyadmin.conf
# # #
#<Directory "/usr/share/phpmyadmin"> # Order Deny,Allow # Deny from all # Allow from 127.0.0.1 #</Directory> Alias /phpmyadmin /usr/share/phpmyadmin Alias /phpMyAdmin /usr/share/phpmyadmin Alias /mysqladmin /usr/share/phpmyadmin
Then we create the system startup links for Apache and start it:
chkconfig --levels 235 httpd on
Now you can direct your browser to http://server1.example.com/phpmyadmin/ or http://192.168.0.100/phpmyadmin/ and log in with the user name root and your new root MySQL password.
yum install php php-devel php-gd php-imap php-ldap php-mysql phpodbc php-pear php-xml php-xmlrpc php-eaccelerator php-mbstring phpmcrypt php-mhash php-mssql php-snmp php-soap php-tidy curl curldevel perl-libwww-perl ImageMagick libxml2 libxml2-devel mod_fcgid php-cli httpd-devel
... and change the error reporting (so that notices aren't shown any longer) and add cgi.fix_pathinfo = 1 at the end of the file:
[...] ;error_reporting = E_ALL error_reporting = E_ALL & ~E_NOTICE [...] cgi.fix_pathinfo = 1
[global] ;Path to logfile logfile=/var/log/httpd/suphp.log ;Loglevel loglevel=info ;User Apache is running as webserver_user=apache ;Path all scripts have to be in docroot=/ ;Path to chroot() to before executing script ;chroot=/mychroot ; Security options allow_file_group_writeable=true
allow_file_others_writeable=false allow_directory_group_writeable=true allow_directory_others_writeable=false ;Check wheter script is within DOCUMENT_ROOT check_vhost_docroot=true ;Send minor error messages to browser errors_to_browser=false ;PATH environment variable env_path=/bin:/usr/bin ;Umask to set, specify in octal notation umask=0077 ; Minimum UID min_uid=100 ; Minimum GID min_gid=100 [handlers] ;Handler for php-scripts x-httpd-suphp="php:/usr/bin/php-cgi" ;Handler for CGI-scripts x-suphp-cgi="execute:!self"
17 Install PureFTPd
PureFTPd can be installed with the following command:
yum install pure-ftpd
18 Install MyDNS
We can install MyDNS as follows:
wget http://mydns.bboy.net/download/mydns-mysql-1.1.0-1.i386.rpm rpm -ivh mydns-mysql-1.1.0-1.i386.rpm
When the system boots, MyDNS must be started after MySQL. The MySQL startup link has the priority 64 on CentOS, so the MyDNS startup link must have a priority between 65 and 99. Therefore we open the MyDNS init script...
vi /etc/init.d/mydns
to
[...] # chkconfig: 345 65 50 [...]
We don't start MyDNS now because it must be configured first - this will be done automatically by the ISPConfig 3 installer later on.
cd /tmp wget http://n0rp.chemlab.org/vlogger/vlogger-1.3.tar.gz tar xvfz vlogger-1.3.tar.gz mv vlogger-1.3/vlogger /usr/sbin/ rm -rf vlogger*
20 Install Jailkit
Jailkit is needed only if you want to chroot SSH users. It can be installed as follows ( important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!):
cd /tmp wget http://olivier.sessink.nl/jailkit/jailkit-2.5.tar.gz tar xvfz jailkit-2.5.tar.gz cd jailkit-2.5 ./configure make make install rm -rf jailkit-2.5*
21 Install fail2ban
This is optional but recommended, because the ISPConfig monitor tries to show the log:
yum install fail2ban
22 Install rkhunter
rkhunter can be installed as follows:
yum install rkhunter
--------------------------------------------------------While we have been building SquirrelMail, we have discovered some preferences that work better with some servers that don't work so well with others. If you select your IMAP server, this option will set some pre-defined settings for that server. Please note that you will still need to go through and make sure everything is correct. This does not change everything. There are only a few settings that this will change. Please select your IMAP server: bincimap = Binc IMAP server courier = Courier IMAP server cyrus = Cyrus IMAP server dovecot = Dovecot Secure IMAP server exchange = Microsoft Exchange IMAP server hmailserver = hMailServer macosx = Mac OS X Mailserver mercury32 = Mercury/32 uw = University of Washington's IMAP server quit = Do not change anything Command >> <-- courier
SquirrelMail Configuration : Read: config.php --------------------------------------------------------While we have been building SquirrelMail, we have discovered some preferences that work better with some servers that don't work so well with others. If you select your IMAP server, this option will set some pre-defined settings for that server. Please note that you will still need to go through and make sure everything is correct. This does not change everything. There are only a few settings that this will change. Please select your IMAP server: bincimap = Binc IMAP server courier = Courier IMAP server cyrus = Cyrus IMAP server dovecot = Dovecot Secure IMAP server exchange = Microsoft Exchange IMAP server hmailserver = hMailServer macosx = Mac OS X Mailserver mercury32 = Mercury/32 uw = University of Washington's IMAP server quit = Do not change anything Command >> courier imap_server_type default_folder_prefix trash_folder sent_folder draft_folder show_prefix_option default_sub_of_inbox show_contain_subfolders_option optional_delimiter delete_folder = = = = = = = = = = courier INBOX. Trash Sent Drafts false false false . true
SquirrelMail Configuration : Read: config.php (1.4.0) --------------------------------------------------------Main Menu -1. Organization Preferences 2. Server Settings 3. Folder Defaults 4. General Options 5. Themes
6. 7. 8. 9. 10. D. C S Q
Address Books Message of the Day (MOTD) Plugins Database Languages Set pre-defined settings for specific IMAP servers Turn color off Save data Quit
SquirrelMail Configuration : Read: config.php (1.4.0) --------------------------------------------------------Main Menu -1. Organization Preferences 2. Server Settings 3. Folder Defaults 4. General Options 5. Themes 6. Address Books 7. Message of the Day (MOTD) 8. Plugins 9. Database 10. Languages D. C S Q Set pre-defined settings for specific IMAP servers Turn color off Save data Quit
One last thing we need to do is modify the file /etc/squirrelmail/config_local.php and comment out the $default_folder_prefix variable - if you don't do this, you will see the following error message in SquirrelMail after you've logged in: Query: CREATE "Sent"
Reason Given: Invalid mailbox name. vi /etc/squirrelmail/config_local.php
<?php /** * Local config overrides. * * You can override the config.php settings here. * Don't do it unless you know what you're doing. * Use standard PHP syntax, see config.php for examples. * * @copyright © 2002-2006 The SquirrelMail Project Team * @license http://opensource.org/licenses/gpl-license.php GNU Public License * @version $Id: config_local.php,v 1.2 2006/07/11 03:33:47 wtogami Exp $ * @package squirrelmail * @subpackage config */ //$default_folder_prefix ?> = '';
Now you can type in http://server1.example.com/webmail or http://192.168.0.100/webmail in your browser to access SquirrelMail.
24 Install ISPConfig 3
ISPConfig 3 can either be installed from the latest released version (.tar.gz) or directly from SVN. To install it from the latest released version, do this:
cd /tmp wget http://downloads.sourceforge.net/ispconfig/ISPConfig3.0.1.tar.gz?use_mirror= tar xvfz ISPConfig-3.0.1.tar.gz cd ispconfig3_install/install/
(Replace ISPConfig-3.0.0.9-rc2.tar.gz with the latest version.) To install it from SVN, do this:
yum install subversion
Regardless of the installation method you've chosen, the next step is to run
php -q install.php
| | / _ \| '_ \| _| |/ _` | | \__/\ (_) | | | | | | | (_| | \____/\___/|_| |_|_| |_|\__, | __/ | |___/ ------------------------------------------------------------------------------>> Initial configuration Operating System: CentOS 5.2 or compatible Following will be a few questions for primary configuration so be careful. Default values are in [brackets] and can be accepted with <ENTER>. Tap in "quit" (without the quotes) to stop the installer. Select language (en,de) [en]: Installation mode (standard,expert) [standard]: <-- ENTER Full qualified hostname (FQDN) of the server, eg server1.domain.tld <-- ENTER MySQL server hostname [localhost]: <-- ENTER MySQL root username [root]: <-- ENTER MySQL root password []: <-- yourrootsqlpassword MySQL database to create [dbispconfig]: <-- ENTER MySQL charset [utf8]: <-- ENTER Generating a 2048 bit RSA private key ................................................+++ .................................................................................+++ writing new private key to 'smtpd.key' ----You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----Country Name (2 letter code) [GB]: <-- ENTER State or Province Name (full name) [Berkshire]: <-- ENTER Locality Name (eg, city) [Newbury]: <-- ENTER Organization Name (eg, company) [My Company Ltd]: <-- ENTER Organizational Unit Name (eg, section) []: <-- ENTER Common Name (eg, your name or your server's hostname) []: <-- ENTER Email Address []: <-- ENTER Configuring Jailkit Configuring SASL Configuring PAM Configuring Courier Configuring Spamassassin Configuring Amavisd Configuring Getmail Configuring Pureftpd Configuring MyDNS Configuring Apache Configuring Firewall Installing ISPConfig ISPConfig Port [8080]: <-- ENTER Configuring DBServer [server1.example.com]:
Installing Crontab no crontab for root no crontab for getmail Restarting services ... Stopping MySQL: Starting MySQL: Shutting down postfix: Starting postfix: Stopping saslauthd: Starting saslauthd: Shutting down Mail Virus Scanner (amavisd): Starting Mail Virus Scanner (amavisd): Stopping Clam AntiVirus Daemon: Starting Clam AntiVirus Daemon: Stopping Courier authentication services: authdaemond Starting Courier authentication services: authdaemond Stopping Courier-IMAP server: imap imap-ssl pop3 pop3-ssl Starting Courier-IMAP server: imap imap-ssl pop3 pop3-ssl Stopping httpd: Starting httpd: Stopping pure-ftpd: Starting pure-ftpd: Installation completed. [root@server1 install]#
[ [ [ [ [ [ [ [ [ [
OK OK OK OK OK OK OK OK OK OK
] ] ] ] ] ] ] ] ] ]
[ [ [ [
OK OK OK OK
] ] ] ]
The installer automatically configures all underlying services, so no manual configuration is needed. Afterwards you can access ISPConfig 3 under http://server1.example.com:8080/ or http://192.168.0.100:8080/ . Log in with the username admin and the password admin (you should change the default password after your first login):
25 Links
CentOS: http://www.centos.org/ ISPConfig: http://www.ispconfig.org/ Copyright 2009 Falko Timme All Rights Reserved.