ACE I.T. LEARNING SOLUTIONS, INC.
Rm. 208-210 V.I.R.Bldg., E. Rodriquez, Sr., Ave., Cubao, Q. C
The Perfect Server - CentOS 5.2
This tutorial shows how to set up a CentOS 5v.xxx server that offers all services needed
by ISPs and web hosters: Apache web server (SSL-capable), Postfix mail server with
SMTP-AUTH and TLS, BIND DNS server, Proftpd FTP server, MySQL server, Dovecot
POP3/IMAP, Quota, Firewall, etc. This tutorial is written for the 32-bit version of
CentOS 5.2, but should apply to the 64-bit version with very little modifications as well.
I will use the following software:
•
•
•
•
•
•
•

Web Server: Apache 2.2 with PHP 5.1.6
Database Server: MySQL 5.0
Mail Server: Postfix
DNS Server: BIND9 (chrooted)
FTP Server: Proftpd
POP3/IMAP server: Dovecot
Webalizer for web site statistics

In the end you should have a system that works reliably, and if you like you can install
the free webhosting control panel ISPConfig (i.e., ISPConfig runs on it out of the box).
I want to say first that this is not the only way of setting up such a system. There are
many ways of achieving this goal but this is the way I take. I do not issue any guarantee
that this will work for you!
1 Requirements

To install such a system you will need the following:
•

•

Download the CentOS 5.2 DVD or the six CentOS 5.2 CDs from a mirror next to
you (the list of mirrors can be found here:
/>a fast internet connection.

2 Preliminary Note
In this tutorial I use the hostname server1.example.com with the IP address
192.168.0.100 and the gateway 192.168.0.1. These settings might differ for you, so you
have to replace them where appropriate.
3 Install The Base System
Boot from your first CentOS 5.2 CD (CD 1) or the CentOS 5.2 DVD. Press <ENTER> at
the boot prompt:

Prepared By: Jim “King” Reforma[]
/>

ACE I.T. LEARNING SOLUTIONS, INC.
Rm. 208-210 V.I.R.Bldg., E. Rodriquez, Sr., Ave., Cubao, Q. C

Example screenshots.
It can take a long time to test the installation media so we skip this test here:

Example screenshots.
The welcome screen of the CentOS installer appears. Click on Next:
Prepared By: Jim “King” Reforma[]
/>


ACE I.T. LEARNING SOLUTIONS, INC.
Rm. 208-210 V.I.R.Bldg., E. Rodriquez, Sr., Ave., Cubao, Q. C

Example screenshots.
Choose your language next:

Prepared By: Jim “King” Reforma[]
/>

ACE I.T. LEARNING SOLUTIONS, INC.
Rm. 208-210 V.I.R.Bldg., E. Rodriquez, Sr., Ave., Cubao, Q. C
Example screenshots.
Select your keyboard layout:

Example screenshots.
I'm installing CentOS 5.2 on a fresh system, so I answer Yes to the question Would you
like to initialize this drive, erasing ALL DATA?

Prepared By: Jim “King” Reforma[]
/>

ACE I.T. LEARNING SOLUTIONS, INC.
Rm. 208-210 V.I.R.Bldg., E. Rodriquez, Sr., Ave., Cubao, Q. C

Example screenshots.
Now we must select a partitioning scheme for our installation. For simplicity's sake I
select Remove linux partitions on selected drives and create default layout. This will
result in a small /boot and a large / partition as well as a swap partition. Of course, you're
free to partition your hard drive however you like it. Then I hit Next:


Prepared By: Jim “King” Reforma[]
/>

ACE I.T. LEARNING SOLUTIONS, INC.
Rm. 208-210 V.I.R.Bldg., E. Rodriquez, Sr., Ave., Cubao, Q. C

Example screenshots.
Answer the following question (Are you sure you want to do this?) with Yes:

Prepared By: Jim “King” Reforma[]
/>

ACE I.T. LEARNING SOLUTIONS, INC.
Rm. 208-210 V.I.R.Bldg., E. Rodriquez, Sr., Ave., Cubao, Q. C
Example screenshots.
On to the network settings. The default setting here is to configure the network interfaces
with DHCP, but we are installing a server, so static IP addresses are not a bad idea...
Click on the Edit button at the top right.

Example screenshots.
In the window that pops up uncheck Use dynamic IP configuration (DHCP) and Enable
IPv6 support and give your network card a static IP address (in this tutorial I'm using the
IP address 192.168.0.100 for demonstration purposes) and a suitable netmask (e.g.
255.255.255.0; if you are not sure about the right values, o
might help you):

Prepared By: Jim “King” Reforma[]
/>


ACE I.T. LEARNING SOLUTIONS, INC.
Rm. 208-210 V.I.R.Bldg., E. Rodriquez, Sr., Ave., Cubao, Q. C

Example screenshots.
Set the hostname manually, e.g. server1.example.com, and enter a gateway (e.g.
192.168.0.1) and up to two DNS servers (e.g. 213.191.92.86 and 145.253.2.75):

Prepared By: Jim “King” Reforma[]
/>

ACE I.T. LEARNING SOLUTIONS, INC.
Rm. 208-210 V.I.R.Bldg., E. Rodriquez, Sr., Ave., Cubao, Q. C

Example screenshots.
Choose your time zone:

Prepared By: Jim “King” Reforma[]
/>

ACE I.T. LEARNING SOLUTIONS, INC.
Rm. 208-210 V.I.R.Bldg., E. Rodriquez, Sr., Ave., Cubao, Q. C
Example screenshots.
Give root a password:

Now we select the software we want to install. Select nothing but Server (uncheck
everything else). Also don't check Packages from CentOS Extras. Then check Customize
now, and click on Next:

Prepared By: Jim “King” Reforma[]
/>


ACE I.T. LEARNING SOLUTIONS, INC.
Rm. 208-210 V.I.R.Bldg., E. Rodriquez, Sr., Ave., Cubao, Q. C

Example screenshots.
Now we must select the package groups we want to install. Select Editors, Text-based
Internet, Development Libraries, Development Tools, DNS Name Server, FTP Server,
Mail Server, MySQL Database, Server Configuration Tools, Web Server, Administration
Tools, Base, and System Tools (unselect all other package groups) and click on Next:

Prepared By: Jim “King” Reforma[]
/>

ACE I.T. LEARNING SOLUTIONS, INC.
Rm. 208-210 V.I.R.Bldg., E. Rodriquez, Sr., Ave., Cubao, Q. C

Example screenshots.
The installer checks the dependencies of the selected packages:

Prepared By: Jim “King” Reforma[]
/>

ACE I.T. LEARNING SOLUTIONS, INC.
Rm. 208-210 V.I.R.Bldg., E. Rodriquez, Sr., Ave., Cubao, Q. C
Example screenshots.
Click on Next to start the installation:

Example screenshots.
The hard drive is being formatted:


Prepared By: Jim “King” Reforma[]
/>

ACE I.T. LEARNING SOLUTIONS, INC.
Rm. 208-210 V.I.R.Bldg., E. Rodriquez, Sr., Ave., Cubao, Q. C

Example screenshots.
The installation begins. This will take a few minutes:

Prepared By: Jim “King” Reforma[]
/>

ACE I.T. LEARNING SOLUTIONS, INC.
Rm. 208-210 V.I.R.Bldg., E. Rodriquez, Sr., Ave., Cubao, Q. C
Example screenshots.
Finally, the installation is complete, and you can remove your CD or DVD from the
computer and reboot it:

Example screenshots.
After the reboot, you will see this screen. Select Firewall configuration and hit Run Tool:

Prepared By: Jim “King” Reforma[]
/>

ACE I.T. LEARNING SOLUTIONS, INC.
Rm. 208-210 V.I.R.Bldg., E. Rodriquez, Sr., Ave., Cubao, Q. C
Example screenshots.
I want to install ISPConfig at the end of this tutorial which comes with its own firewall.
That's why I disable the default CentOS firewall now. Of course, you are free to leave it
on and configure it to your needs (but then you shouldn't use any other firewall later on as

it will most probably interfere with the CentOS firewall).
SELinux is a security extension of CentOS that should provide extended security. In my
opinion you don't need it to configure a secure system, and it usually causes more
problems than advantages (think of it after you have done a week of trouble-shooting
because some service wasn't working as expected, and then you find out that everything
was ok, only SELinux was causing the problem). Therefore I disable it, too (this is a must
if you want to install ISPConfig later on). Hit OK afterwards:

Example screenshots.
Then leave the Setup Agent by selecting Exit:

Prepared By: Jim “King” Reforma[]
/>

ACE I.T. LEARNING SOLUTIONS, INC.
Rm. 208-210 V.I.R.Bldg., E. Rodriquez, Sr., Ave., Cubao, Q. C

Example screenshots.
Then log in as root and reboot the system so that your changes can be applied:
reboot
Now, on to the configuration...
4 Adjust /etc/hosts
Next we edit /etc/hosts. Make it look like this:
vi /etc/hosts
# Do not remove the following line, or various
programs
# that require network functionality will fail.
127.0.0.1
localhost.localdomain
localhost

192.168.0.100
server1.example.com server1
::1
localhost6.localdomain6 localhost6

5 Configure Additional IP Addresses
(This section is totally optional. It just shows how to add additional IP addresses to your
network interface eth0 if you need more than one IP address. If you're fine with one IP
address, you can skip this section.)
Prepared By: Jim “King” Reforma[]
/>

ACE I.T. LEARNING SOLUTIONS, INC.
Rm. 208-210 V.I.R.Bldg., E. Rodriquez, Sr., Ave., Cubao, Q. C
Let's assume our network interface is eth0. Then there is a file /etc/sysconfig/networkscripts/ifcfg-eth0 which contains the settings for eth0. We can use this as a sample for our
new virtual network interface eth0:0:
cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0:0
Now we want to use the IP address 192.168.0.101 on the virtual interface eth0:0.
Therefore we open the file /etc/sysconfig/network-scripts/ifcfg-eth0:0 and modify it as
follows (we can leave out the HWADDR line as it is the same physical network card):
vi /etc/sysconfig/network-scripts/ifcfg-eth0:0
# Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE]
DEVICE=eth0:0
BOOTPROTO=static
BROADCAST=192.168.0.255
IPADDR=192.168.0.101
NETMASK=255.255.255.0
NETWORK=192.168.0.0
ONBOOT=yes
Afterwards we have to restart the network:

/etc/init.d/network restart
You might also want to adjust /etc/hosts after you have added new IP addresses, although
this is not necessary.
Now run
ifconfig
You should now see your new IP address in the output:
[root@server1 ~]# ifconfig
eth0
Link encap:Ethernet HWaddr 00:0C:29:B1:97:E1
inet addr:192.168.0.100 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:feb1:97e1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:310 errors:0 dropped:0 overruns:0 frame:0
TX packets:337 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:28475 (27.8 KiB) TX bytes:72116 (70.4 KiB)
Interrupt:177 Base address:0x1400
eth0:0

Link encap:Ethernet HWaddr 00:0C:29:B1:97:E1
inet addr:192.168.0.101 Bcast:192.168.0.255 Mask:255.255.255.0

Prepared By: Jim “King” Reforma[]
/>

ACE I.T. LEARNING SOLUTIONS, INC.
Rm. 208-210 V.I.R.Bldg., E. Rodriquez, Sr., Ave., Cubao, Q. C
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:177 Base address:0x1400
lo


Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:560 (560.0 b) TX bytes:560 (560.0 b)

[root@server1 ~]#
6 Disable The Firewall And SELinux
(You can skip this chapter if you have already disabled the firewall and SELinux at the
end of the basic system installation (in the Setup Agent).)
I want to install ISPConfig at the end of this tutorial which comes with its own firewall.
That's why I disable the default CentOS firewall now. Of course, you are free to leave it
on and configure it to your needs (but then you shouldn't use any other firewall later on as
it will most probably interfere with the CentOS firewall).
SELinux is a security extension of CentOS that should provide extended security. In my
opinion you don't need it to configure a secure system, and it usually causes more
problems than advantages (think of it after you have done a week of trouble-shooting
because some service wasn't working as expected, and then you find out that everything
was ok, only SELinux was causing the problem). Therefore I disable it, too (this is a must
if you want to install ISPConfig later on).
Run
system-config-securitylevel
Set both Security Level and SELinux to Disabled and hit OK:

Prepared By: Jim “King” Reforma[]
/>


ACE I.T. LEARNING SOLUTIONS, INC.
Rm. 208-210 V.I.R.Bldg., E. Rodriquez, Sr., Ave., Cubao, Q. C

Example screenshots.
Afterwards we must reboot the system:
reboot
7 Install Some Software
First we import the GPG keys for software packages:
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*
Then we update our existing packages on the system:
yum update
Now we install some software packages that are needed later on:
yum install fetchmail wget bzip2 unzip zip nmap openssl lynx fileutils ncftp gcc gccc++
8 Quota
(If you have chosen a different partitioning scheme than I did, you must adjust this
chapter so that quota applies to the partitions where you need it.)
To install quota, we run this command:
Prepared By: Jim “King” Reforma[]
/>

ACE I.T. LEARNING SOLUTIONS, INC.
Rm. 208-210 V.I.R.Bldg., E. Rodriquez, Sr., Ave., Cubao, Q. C
yum install quota
Edit /etc/fstab and add ,usrquota,grpquota to the / partition
(/dev/VolGroup00/LogVol00):
vi /etc/fstab
/dev/VolGroup00/LogVol00 /
defaults,usrquota,grpquota
LABEL=/boot

/boot
defaults
1 2
tmpfs
/dev/shm
defaults
0 0
devpts
/dev/pts
devpts gid=5,mode=620 0 0
sysfs
/sys
defaults
0 0
proc
/proc
defaults
0 0
/dev/VolGroup00/LogVol01 swap
defaults
0 0

ext3
1 1

Then run
touch /aquota.user /aquota.group
chmod 600 /aquota.*
mount -o remount /
quotacheck -avugm

quotaon -avug
to enable quota.
9 Install A Chrooted DNS Server (BIND9)
To install a chrooted BIND9, we do this:
yum install bind-chroot
Then do this:
chmod 755 /var/named/
chmod 775 /var/named/chroot/
chmod 775 /var/named/chroot/var/
chmod 775 /var/named/chroot/var/named/
chmod 775 /var/named/chroot/var/run/
chmod 777 /var/named/chroot/var/run/named/
cd /var/named/chroot/var/named/
Prepared By: Jim “King” Reforma[]
/>
ext3
tmpfs

sysfs
proc
swap


ACE I.T. LEARNING SOLUTIONS, INC.
Rm. 208-210 V.I.R.Bldg., E. Rodriquez, Sr., Ave., Cubao, Q. C
ln -s ../../ chroot
cp /usr/share/doc/bind-9.3.4/sample/var/named/named.local
/var/named/chroot/var/named/named.local
cp /usr/share/doc/bind-9.3.4/sample/var/named/named.root
/var/named/chroot/var/named/named.root

touch /var/named/chroot/etc/named.conf
chkconfig --levels 235 named on
/etc/init.d/named start
BIND will run in a chroot jail under /var/named/chroot/var/named/. I will use ISPConfig
to configure BIND (zones, etc.).
10 MySQL (5.0)
To install MySQL, we do this:
yum install mysql mysql-devel mysql-server
Then we create the system startup links for MySQL (so that MySQL starts automatically
whenever the system boots) and start the MySQL server:
chkconfig --levels 235 mysqld on
/etc/init.d/mysqld start
Now check that networking is enabled. Run
netstat -tap | grep mysql
It should show a line like this:
[root@server1 ~]# netstat -tap | grep mysql
tcp
0 0 *:mysql
*:*
[root@server1 ~]#

LISTEN

2584/mysqld

If it does not, edit /etc/my.cnf and comment out the option skip-networking:
vi /etc/my.cnf
[...]
#skip-networking
[...]

and restart your MySQL server:
/etc/init.d/mysqld restart

Prepared By: Jim “King” Reforma[]
/>

ACE I.T. LEARNING SOLUTIONS, INC.
Rm. 208-210 V.I.R.Bldg., E. Rodriquez, Sr., Ave., Cubao, Q. C
Run
mysqladmin -u root password yourrootsqlpassword
mysqladmin -h server1.example.com -u root password yourrootsqlpassword
to set a password for the user root (otherwise anybody can access your MySQL
database!).
11 Postfix With SMTP-AUTH And TLS
Now we install Postfix and Dovecot (Dovecot will be our POP3/IMAP server):
yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain
postfix dovecot
Next we configure SMTP-AUTH and TLS:
postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_sasl_authenticated_header = yes'
postconf -e 'smtpd_recipient_restrictions =
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
postconf -e 'mynetworks = 127.0.0.0/8'
We must edit /usr/lib/sasl2/smtpd.conf so that Postfix allows PLAIN and LOGIN logins.
On a 64Bit Centos 5.2 you must edit the file /usr/lib64/sasl2/smtpd.conf instead. It should
look like this:

vi /usr/lib/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login
Afterwards we create the certificates for TLS:
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
Prepared By: Jim “King” Reforma[]
/>

ACE I.T. LEARNING SOLUTIONS, INC.
Rm. 208-210 V.I.R.Bldg., E. Rodriquez, Sr., Ave., Cubao, Q. C
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
Next we configure Postfix for TLS:
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'

Then we set the hostname in our Postfix installation (make sure you replace
server1.example.com with your own hostname):
postconf -e 'myhostname = server1.example.com'
After these configuration steps you should now have a /etc/postfix/main.cf that looks like
this (I have removed all comments from it):
cat /etc/postfix/main.cf
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id
& sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
Prepared By: Jim “King” Reforma[]
/>

ACE I.T. LEARNING SOLUTIONS, INC.
Rm. 208-210 V.I.R.Bldg., E. Rodriquez, Sr., Ave., Cubao, Q. C
setgid_group = postdrop
html_directory = no

manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.3.3/samples
readme_directory = /usr/share/doc/postfix2.3.3/README_FILES
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,permit_mynetworks,reject_unauth_d
estination
mynetworks = 127.0.0.0/8
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
myhostname = server1.example.com
By default, CentOS' Dovecot daemon provides only IMAP and IMAPs services. Because
we also want POP3 and POP3s we must configure Dovecot to do so. We edit
/etc/dovecot.conf and enable the line protocols = imap imaps pop3 pop3s:
vi /etc/dovecot.conf
[...]
# Base directory where to store runtime data.

#base_dir = /var/run/dovecot/
# Protocols we want to be serving: imap imaps pop3 pop3s
# If you only want to use dovecot-auth, you can set this to
"none".
protocols = imap imaps pop3 pop3s
# IP or host address where to listen in for connections.
It's not currently
# possible to specify multiple addresses. "*" listens in
all IPv4 interfaces.
Prepared By: Jim “King” Reforma[]
/>