A no so perfect interpretation of: ![[WWW]](/wiki/rightsidebarsmaller/img/moin-www.png){kind=small}
http://www.howtoforge.com/perfect_setup_centos_4.3
The Not So Perfect Setup of Centos 4.4 x86_64 for ISPConfig
Get all the RPMS you need installed and out of the way
Avoid Cross Architectural problems by excluding x86 packages. This is the solution to the erasing openssl in the article.
echo "exclude=*.i386 *.i586 *.i686" >> /etc/yum.conf
yum install fetchmail wget bzip2 unzip zip nmap openssl lynx fileutils ncftp quota bind-chroot mysql mysql-devel mysql-server cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain postfix dovecot php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel webalizer ntp perl-HTML-Parser perl-DBI perl-Net-DNS perl-Digest-SHA1 flex
Edit fstab to include quote support
vi /etc/fstab
/dev/VolGroup00/LogVol00 / ext3 defaults,usrquota,grpquota 1 1
Then run:
touch /aquota.user /aquota.group chmod 600 /aquota.* mount -o remount / quotacheck -avugm quotaon -avug
Make some modifications to bind-chroot
chmod 755 /var/named/ chmod 775 /var/named/chroot/ chmod 775 /var/named/chroot/var/ chmod 775 /var/named/chroot/var/named/ chmod 775 /var/named/chroot/var/run/ chmod 777 /var/named/chroot/var/run/named/ cd /var/named/chroot/var/named/ ln -s ../../ chroot chkconfig named on service named start
Mysql setup
chkconfig mysqld on service mysqld start mysqladmin -u root password yourrootsqlpassword mysqladmin -h server1.example.com -u root password yourrootsqlpassword
Postfix Configuration
Edit /usr/lib64/sasl2/smtpd.conf
vi /usr/lib64/sasl2/smtpd.conf
pwcheck_method: saslauthd mech_list: plain login
Make a SSL certificate for Postfix
mkdir /etc/postfix/ssl cd /etc/postfix/ssl/ openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 chmod 600 smtpd.key openssl req -new -key smtpd.key -out smtpd.csr openssl rsa -in smtpd.key -out smtpd.key.unencrypted mv -f smtpd.key.unencrypted smtpd.key openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
postconf -e 'smtpd_sasl_local_domain =' postconf -e 'smtpd_sasl_auth_enable = yes' postconf -e 'smtpd_sasl_security_options = noanonymous' postconf -e 'broken_sasl_auth_clients = yes' postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination' postconf -e 'inet_interfaces = all' postconf -e 'smtpd_tls_auth_only = no' postconf -e 'smtp_use_tls = yes' postconf -e 'smtpd_use_tls = yes' postconf -e 'smtp_tls_note_starttls_offer = yes' postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key' postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt' postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem' postconf -e 'smtpd_tls_loglevel = 1' postconf -e 'smtpd_tls_received_header = yes' postconf -e 'smtpd_tls_session_cache_timeout = 3600s' postconf -e 'tls_random_source = dev:/dev/urandom'
Resulting /etc/postfix/main.cf:
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.1.5/samples
readme_directory = /usr/share/doc/postfix-2.1.5/README_FILES
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
Edit /etc/dovecot.conf
vi /etc/dovecot.conf
[...] # Base directory where to store runtime data. #base_dir = /var/run/dovecot/ # Protocols we want to be serving: # imap imaps pop3 pop3s protocols = imap imaps pop3 pop3s # IP or host address where to listen in for connections. It's not currently # possible to specify multiple addresses. "*" listens in all IPv4 interfaces. [...]
chkconfig sendmail off service sendmail stop for service in postfix saslauthd dovecot do chkconfig $service on service $service start
Edit /etc/httpd/conf/httpd.conf
vi /etc/httpd/conf/httpd.conf
DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3 index.pl
Edit /etc/httpd/conf.d/php.conf
vi /etc/httpd/conf.d/php.conf
# # PHP is an HTML-embedded scripting language which attempts to make it # easy for developers to write dynamically generated webpages. # LoadModule php4_module modules/libphp4.so # # Cause the PHP interpreter to handle files with a .php extension. # #AddType application/x-httpd-php .php # AddType application/x-httpd-php-source .phps # # Add index.php to the list of files that will be served as directory # indexes. # DirectoryIndex index.php
Setup NTP
chkconfig ntpd on ntpdate pool.ntp.org service ntpd start
ISPConfig and SuExec
I found that ISPConfig installed the sites in /var/www when I installed it, so the SuExec precautions were not required.
When installing ISPConfig
DON'T UPDATE ZLIB, it is security patched on Centos, and ClamAV's setup script is simply in error.
Edit the compile file and add --disable-zlib-vcheck
vi install_ispconfig/compile_aps/compile
cd ${CLAMAV}
./configure --prefix=/home/adm${APPLICATION_NAME}/${APPLICATION_NAME}/tools/clamav --sysconfdir=/home/adm${APPLICATION_NAME}/${APPLICATION_NAME}/tools/clamav/etc --with-user=adm${APPLICATION_NAME} --with-group=adm${APPLICATION_NAME} --disable-clamav --disable-zlib-vcheck --disable-bzip2 || error "Could not configure ClamAV"