Surid – Mellowhost Blog

Setting Up a Secure Postfix Mail Server with Authentication on AlmaLinux 9

In this comprehensive guide, we’ll configure a full-featured Postfix email server on AlmaLinux 9 with SASL authentication. This setup allows authenticated users to send emails securely, making it ideal for personal servers or small business environments. We’ll cover installation, configuration, security hardening, and testing.

Why Use Postfix with Authentication?

Postfix is a powerful, open-source mail transfer agent (MTA) known for its security and reliability. Enabling SASL authentication lets users authenticate before sending emails, preventing unauthorized relaying and enhancing control over your mail server.

Prerequisites

A AlmaLinux 9 server with root access
A registered domain name (replace yourdomain.com with your actual domain)
Basic knowledge of Linux command-line operations

1. Install and Initialize Postfix

sudo dnf update -y
sudo dnf install postfix -y

# Enable and start the service
sudo systemctl enable --now postfix
sudo systemctl status postfix

2. Configure Core Postfix Settings

Edit /etc/postfix/main.cf to define server behavior and security parameters:

# Server Identity
myhostname = mail.yourdomain.com
mydomain = yourdomain.com
myorigin = $mydomain

# Network Configuration
inet_interfaces = all # Listen on all interfaces (adjust based on your security requirements)
inet_protocols = all # Enable IPv4/IPv6

# Mail Delivery Rules
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks =127.0.0.0/8 [::1]/128 # Restrict unauthenticated relaying to localhost

# Mail Storage
home_mailbox = Maildir/ # Use Maildir format for email storage

# SMTP Banner
smtpd_banner = $myhostname ESMTP Postfix

Verify syntax and apply changes:

sudo postfix check
sudo systemctl reload postfix

3. Enable SASL Authentication

Install SASL libraries and configure PAM authentication:

# Install SASL packages
sudo dnf install cyrus-sasl cyrus-sasl-plain -y

# Configure SASL daemon
echo 'MECH=pam' | sudo tee -a /etc/sysconfig/saslauthd
sudo systemctl enable --now saslauthd
sudo systemctl status saslauthd

4. Configure Postfix to Use SASL

Modify /etc/postfix/main.cf to enable authentication and restrict relay access:

# Enable SASL authentication
smtpd_sasl_auth_enable = yes

# Security policies
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes # Enable compatibility with older clients

# Relay control: Allow authenticated users
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination

Create the SASL configuration file:

sudo mkdir -p /etc/sasl2
echo -e "pwcheck_method: saslauthd\nmech_list: plain login" | sudo tee /etc/sasl2/smtpd.conf
sudo systemctl reload postfix

5. Create User Accounts for Authentication

Add a user account to test authentication:

sudo adduser newuser
sudo passwd newuser

6. Test the Configuration

Install Swaks, a command-line SMTP testing tool:

sudo dnf install epel-release -y
sudo dnf install swaks

# Test authentication and email delivery
swaks \
--server localhost \
--port25 \
--helo smtp.server.com \
--to [email protected] \
--from [email protected] \
--auth LOGIN \
--auth-user newuser \
--auth-password 'your_secure_password' \
--tls \
--body "Subject: Test Email via Swaks\n\nThis is a test message."

Critical Security Considerations

Restrict mynetworks: Only allow trusted networks to bypass authentication.

Tags: `Postfix, AlmaLinux9, SASL Authentication, Email Server, Linux Configuration, Cyrus SASL, SMTP Authentication, Systemd Services, Mail Server Setup, Email Security, Swaks Testing Tool, Linux Command Line, Maildir, EPEL Repository, PAM Authentication, Postfix Configuration, User Management, Network Security, SMTP Relay, Installation Guide, Configuration Guide, Linux System Administration, Open Source Tools, Security Best Practices`

How to Install Grafana on AlmaLinux 9

Grafana is a popular open-source platform for monitoring and observability. It allows you to visualize and explore your metrics, logs, and traces. In this guide, we will walk you through the steps to install Grafana on AlmaLinux 9.

Step 1: Update the System

First, ensure your system is up to date:

sudo dnf update -y

Step 2: Add the Grafana Repository

To install Grafana, you need to add the official Grafana repository. Run the following command:

sudo dnf install https://dl.grafana.com/oss/release/rpm/grafana-8.5.5-1.x86_64.rpm

Note: Replace `8.5.5-1` with the latest version available from the Grafana download page.

Step 3: Install Grafana

Once the repository is added, install Grafana using the following command:

sudo dnf install grafana -y

Step 4: Start and Enable Grafana

After installation, start the Grafana service and enable it to start on boot:

sudo systemctl start grafana-server
sudo systemctl enable grafana-server

Step 5: Configure Firewall (Optional)

If you have a firewall enabled, you need to allow traffic on port 3000 (default Grafana port):

sudo firewall-cmd --zone=public --add-port=3000/tcp --permanent
sudo firewall-cmd --reload

Step 6: Access Grafana

Once Grafana is installed and running, you can access it via a web browser. Open your browser and navigate to:

http://your_server_ip:3000

Replace `your_server_ip` with the actual IP address of your server.

Step 7: Initial Configuration

The first time you access Grafana, you will be prompted to set up an admin user and configure data sources. Follow the on-screen instructions to complete the setup.

Step 8: Verify Installation

To ensure that Grafana is running correctly, you can check the status of the service:

sudo systemctl status grafana-server

You should see that the service is active and running.

Conclusion

By following these steps, you should now have Grafana installed and running on your AlmaLinux 9 server. You can start adding data sources, creating dashboards, and monitoring your systems effectively.

If you encounter any issues or need further assistance, refer to the official Grafana documentation.

Happy monitoring!

—

### Tags for the Post

“`
#Grafana #AlmaLinux #Linux #SystemMonitoring #DataVisualization #InstallationGuide #OpenSource #MonitoringTools #AlmaLinux9 #GrafanaInstallation
“`

Restricting Metabase User Access to Specific Dashboards

Metabase v0.47.0 offers powerful permission controls that allow you to restrict user access to specific dashboards while preventing them from accessing other features. Follow these steps to configure this setup:

1. Create a Dedicated User Group

Start by creating a new user group specifically for dashboard viewers:

Navigate to Admin > People > Groups.
Create a new group (e.g., “Dashboard Viewers”).

2. Set Restrictive Permissions

Next, set up restrictive permissions for the newly created group:

Navigate to Admin > Permissions.
For the “Dashboard Viewers” group:
- Set all data access permissions to No access for all databases.
- Set all collection permissions to No access for all collections.

3. Create a Specific Collection for Shared Dashboards

Organize your dashboards by creating a specific collection:

Navigate to Collections from the top navigation.
Create a new collection (e.g., “Shared Dashboards”).
Move your intended dashboards to this collection.

4. Set Permissions for the Dashboard Collection

Ensure the “Dashboard Viewers” group has access only to the specified collection:

Navigate to Admin > Permissions > Collections.
Find your “Shared Dashboards” collection.
For the “Dashboard Viewers” group, set the permission to View.

5. Add Users to the Restricted Group

Add the users who should only view the specified dashboards:

Navigate to Admin > People.
Add your users and assign them to the “Dashboard Viewers” group only.

6. Create Direct Dashboard Links

Provide your users with direct links to the dashboards:

Open each dashboard.
Copy the direct URL.
Share these specific URLs with your users.

7. Optional: Set Up SSO or Embedding

For a more streamlined experience, consider the following options:

Single Sign-On (SSO): Configure SSO for a seamless login experience.
Embedding (Paid Plan): Use Metabase’s embedding functionality to integrate dashboards into your own applications (requires a paid plan).

By following these steps, you can ensure that users are restricted to viewing only the specific dashboards you have granted them access to, without being able to access query builders, raw data, or other Metabase features.

#Metabase #dashboardaccess #userpermissions #dataaccesscontrol #Metabasev0.47.0 #restricteduseraccess #dashboardviewers #Metabasepermissions #usergroups #SSO #embedding #datasecurity

How to Update All cPanel Users’ SPF Records in One Go

Introduction
SPF (Sender Policy Framework) records are crucial for email authentication, helping prevent email spoofing and improving deliverability. Manually updating SPF records for each cPanel user can be time-consuming. This guide shows you how to automate this process using a single command.

What You’ll Need

Root SSH access to your cPanel server.
Basic understanding of terminal commands.

The Command Explained

Use the following command to update SPF records for all non-system cPanel users at once:

for user in $(cut -d: -f1 /etc/passwd | grep -v "nobody\|mysql\|system" | sort); do /usr/local/cpanel/bin/spf_installer $user "include:relay.mailchannels.net,include:smtp.mellow.solutions" 0 1 1; done

Breaking Down the Command

User Selectioncut -d: -f1 /etc/passwd | grep -v "nobody\|mysql\|system" | sort
- cut -d: -f1 /etc/passwd: Extracts all usernames from the system’s user list.
- grep -v "nobody\|mysql\|system": Excludes system users (like nobody, mysql, or system) to target only cPanel accounts.
- sort: Orders the list alphabetically for consistency.
SPF Update Command/usr/local/cpanel/bin/spf_installer $user "include:relay.mailchannels.net,include:smtp.mellow.solutions" 0 1 1
- $user: Iterates through each valid cPanel username.
- "include:relay.mailchannels.net,include:smtp.mellow.solutions": The SPF record to set. Replace these values with your own if needed (e.g., your email service providers).
- 0 1 1: Flags for the spf_installer script (refer to cPanel documentation for exact meaning, but typically:
  - 0: Do not force overwrite.
  - 1 1: Save and enable the SPF record.

How to Run the Command

SSH into your server as the root user.
Copy and paste the command into the terminal.
Press Enter to execute.

Important Notes & Precautions

Backup First: Always backup your server’s configuration before making bulk changes.
Verify the SPF Syntax: Ensure the SPF record values (include:relay.mailchannels.net, etc.) are correct and compatible with your email service providers.
Check Record Length: SPF records must not exceed 255 characters. Test the final record using tools like MXToolbox.

Post-Execution Steps

Check SPF Records:
- Log in to WHM > Email Authentication > Manage SPF Records.
- Verify that the SPF records for all users now include the new entries.
Test Deliverability: Send test emails to confirm no delivery issues arise.

Troubleshooting

Command Errors: If the script fails, ensure:
- The spf_installer tool is installed (common in cPanel versions 11.50+).
- You’re running the command as root.
Existing SPF Entries: The command may overwrite or append to existing records. Review each user’s SPF settings if needed.

Why Automate This?

This method saves hours of manual work, ensuring all accounts comply with your email provider’s requirements in seconds.

Final Note
Automating SPF updates is efficient, but always prioritize accuracy. Mistakes in SPF records can lead to email delivery failures.

Ready to implement? Copy the command, test it on a staging server if possible, and ensure your SPF syntax is validated.

Share this guide with your team or save it for future reference. Let us know if you need further assistance!

Tags: #cPanel, #SPF, #EmailAuthentication, #Automation

This guide ensures your SPF records are updated seamlessly, enhancing email security and deliverability across all accounts.

How to Reset root password in Proxmox VE 7

First, boot the system in the rescue kernel. I am assuming your boot partition is separated then the home partition, like in my case. Here are the list of commands I have used:

# mount /dev/md126 /mnt
# mount /dev/md127 /mnt/boot
# mount --bind /dev /mnt/dev
# mount --bind /dev/pts /mnt/dev/pts
# mount --bind /proc /mnt/proc
# mount --bind /sys /mnt/sys
# chroot /mnt
# passwd

Now, make sure to reset the password properly. Once done. Umount all the partition and boot in regular mode:

# umount /mnt/boot
# umount /mnt/sys
# umount /mnt/proc
# umount /mnt/dev/pts
# umount /mnt/dev
# umount /mnt
# reboot

It should be it.

How to Mount qcow2 KVM/Xen/VMware VM Image

Mounting a qcow2 Image as a Network Block Device (NBD)

Virtualization and cloud computing often require the manipulation of disk images. One common format used for these operations is the QCOW2 (QEMU Copy-On-Write version 2) format. This blog post will guide you through the process of mounting a QCOW2 image as a Network Block Device (NBD) to access its contents directly from the host system.

Prerequisites

Before you start, ensure you have the necessary tools installed on your system. The primary tools needed are:

modprobe (part of the module-init-tools or kmod package)
qemu-nbd (part of the qemu-utils package)
fdisk (part of the util-linux package)

Steps to Mount a QCOW2 Image

1. Enable the NBD Module

First, you need to enable the NBD module with support for up to 8 partitions. Execute the following command:

modprobe nbd max_part=8

2. Connect the QCOW2 Image to an NBD Device

Next, use the qemu-nbd tool to connect the QCOW2 image to an NBD device. Replace /vz/vmprivate/v1002/harddisk.hdd with the path to your QCOW2 image:

qemu-nbd --connect=/dev/nbd0 /vz/vmprivate/v1002/harddisk.hdd

3. Detect and Identify the Partitions

After connecting the image, you need to identify the partitions on the NBD device. Use the fdisk tool to list the partitions:

fdisk /dev/nbd0 -l

Note down the partition identifiers (e.g., /dev/nbd0p1).

4. Mount the Partition

With the partition identifier noted, you can now mount the partition to a mount point. Create a mount point if it does not exist:

mkdir -p /mnt
mount /dev/nbd0p1 /mnt

You can now access the contents of the QCOW2 image through the /mnt directory.

Cleanup

After you’re done with your operations, it’s important to clean up the environment to avoid any conflicts or resource leaks.

1. Unmount the Partition

umount /mnt

2. Disconnect the NBD Device

qemu-nbd --disconnect /dev/nbd0

3. Remove the NBD Module

rmmod nbd

Conclusion

Mounting a QCOW2 image as a Network Block Device (NBD) allows you to access its contents directly from the host system, making it a powerful tool for debugging, data recovery, or any situation where direct access to the image is necessary.

By following the steps outlined in this post, you can easily mount, work with, and then safely disconnect and remove the QCOW2 image from your system.

Keywords: QCOW2, Network Block Device, NBD, qemu-nbd, modprobe, mount, umount, fdisk, virtualization, cloud computing, disk image, partition, data recovery, debugging.

KVM VM Not starting – could not get access to acl tech driver ‘ebiptables’

Issue

KVM VM not starting with the following error when you try to start:

could not get access to acl tech driver 'ebiptables'

There is a nwfilter module for libvirt. If for some reason, it comes up with an issue, the above error would appear. To fix this, you need to update (If any update is available) / reinstall (If no update is available) the following module using Yum:

libvirt-daemon-config-nwfilter

The command would be like the following:

yum update libvirt-daemon-config-nwfilter

That shall fix the issue.

Server Error! (Ok) Roundcube Cpanel – Fix

When I tried to load my Roundcube today, found that it failed to load the inbox and instead had thrown the following error:

Server Error! (Ok)

Then, I tried searching the cpanel logs or the roundcube error log but found nothing. Then, I checked the Dovecot log located here:

/var/log/maillog

I found the following:

May  7 13:57:49 network2 dovecot: imap([email protected])<26343><cQG+qxX7MvdneMrv>: Error: Mailbox INBOX: mmap(size=351817308) failed with file /home/mellow/mail/mellowhost.com/shawon/dovecot.index.cache: Cannot allocate memory

This is happening because Dovecot caches the mail index in a file, once it tries to cache a lot of emails, it fails with a memory error. In those cases, you may remove the cache file and let Dovecot generate a new cache based on the latest mails. You may simply rm the file and see Roundcube is loading again:

rm -f /home/mellow/mail/mellowhost.com/shawon/dovecot.index.cache

How to see all the constraints in a Postgresql Database

To see/list the constraints, first, connect to the database using the following:

\c my_prod;

Here we are assuming the database name is my_prod. Please note, we are putting these commands in the psql client utility.

Now, use the following query to list all the constraints in the database:

select pgc.conname as constraint_name,
       ccu.table_schema as table_schema,
       ccu.table_name,
       ccu.column_name,
       contype,
        pg_get_constraintdef(pgc.oid)
from pg_constraint pgc
         join pg_namespace nsp on nsp.oid = pgc.connamespace
         join pg_class  cls on pgc.conrelid = cls.oid
         left join information_schema.constraint_column_usage ccu
                   on pgc.conname = ccu.constraint_name
                       and nsp.nspname = ccu.constraint_schema
order by pgc.conname;

Good luck

How to install SSL in Zimbra with Certificate and CA-bundle

There are 3 things you need:

Private key
Certificate
Ca-bundle

First, switch to the user zimbra:

su - zimbra

Let’s except your files are located here:

Private Key: /tmp/private.key
Certificate: /tmp/your.domain.com.crt
Ca-Bundle: /tmp/your.domain.com.ca-bundle

Now, copy your private key file to the following location:

cp /tmp/private.key /opt/zimbra/ssl/zimbra/commercial/commercial.key

Now, first, verify 3 things to make sure, they are correct:

/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/your.domain.com.crt /tmp/your.domain.com.ca-bundle

If it, says ok, now you may deploy the certificate like the following:

/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/your.domain.com.crt /tmp/your.domain.com.ca-bundle

Once done, now, exit from the user zimbra and restart zimbra:

exit
service zimbra restart

Your SSL should work now.