Setting Up a Secure Postfix Mail Server with Authentication on AlmaLinux 9

Setting Up a Secure Postfix Mail Server with Authentication on AlmaLinux 9

In this comprehensive guide, we’ll configure a full-featured Postfix email server on AlmaLinux 9 with SASL authentication. This setup allows authenticated users to send emails securely, making it ideal for personal servers or small business environments. We’ll cover installation, configuration, security hardening, and testing.

Why Use Postfix with Authentication?

Postfix is a powerful, open-source mail transfer agent (MTA) known for its security and reliability. Enabling SASL authentication lets users authenticate before sending emails, preventing unauthorized relaying and enhancing control over your mail server.

Prerequisites

  • A AlmaLinux 9 server with root access
  • A registered domain name (replace yourdomain.com with your actual domain)
  • Basic knowledge of Linux command-line operations

1. Install and Initialize Postfix

sudo dnf update -y
sudo dnf install postfix -y

# Enable and start the service
sudo systemctl enable --now postfix
sudo systemctl status postfix

2. Configure Core Postfix Settings

Edit /etc/postfix/main.cf to define server behavior and security parameters:

# Server Identity
myhostname = mail.yourdomain.com
mydomain = yourdomain.com
myorigin = $mydomain

# Network Configuration
inet_interfaces = all # Listen on all interfaces (adjust based on your security requirements)
inet_protocols = all # Enable IPv4/IPv6

# Mail Delivery Rules
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks =127.0.0.0/8 [::1]/128 # Restrict unauthenticated relaying to localhost

# Mail Storage
home_mailbox = Maildir/ # Use Maildir format for email storage

# SMTP Banner
smtpd_banner = $myhostname ESMTP Postfix

Verify syntax and apply changes:

sudo postfix check
sudo systemctl reload postfix

3. Enable SASL Authentication

Install SASL libraries and configure PAM authentication:

# Install SASL packages
sudo dnf install cyrus-sasl cyrus-sasl-plain -y

# Configure SASL daemon
echo 'MECH=pam' | sudo tee -a /etc/sysconfig/saslauthd
sudo systemctl enable --now saslauthd
sudo systemctl status saslauthd

4. Configure Postfix to Use SASL

Modify /etc/postfix/main.cf to enable authentication and restrict relay access:

# Enable SASL authentication
smtpd_sasl_auth_enable = yes

# Security policies
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes # Enable compatibility with older clients

# Relay control: Allow authenticated users
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination

Create the SASL configuration file:

sudo mkdir -p /etc/sasl2
echo -e "pwcheck_method: saslauthd\nmech_list: plain login" | sudo tee /etc/sasl2/smtpd.conf
sudo systemctl reload postfix

5. Create User Accounts for Authentication

Add a user account to test authentication:

sudo adduser newuser
sudo passwd newuser

6. Test the Configuration

Install Swaks, a command-line SMTP testing tool:

sudo dnf install epel-release -y
sudo dnf install swaks

# Test authentication and email delivery
swaks \
--server localhost \
--port25 \
--helo smtp.server.com \
--to [email protected] \
--from [email protected] \
--auth LOGIN \
--auth-user newuser \
--auth-password 'your_secure_password' \
--tls \
--body "Subject: Test Email via Swaks\n\nThis is a test message."

Critical Security Considerations

  • Restrict mynetworks: Only allow trusted networks to bypass authentication.

Tags: `Postfix, AlmaLinux9, SASL Authentication, Email Server, Linux Configuration, Cyrus SASL, SMTP Authentication, Systemd Services, Mail Server Setup, Email Security, Swaks Testing Tool, Linux Command Line, Maildir, EPEL Repository, PAM Authentication, Postfix Configuration, User Management, Network Security, SMTP Relay, Installation Guide, Configuration Guide, Linux System Administration, Open Source Tools, Security Best Practices`

How to Reset root password in Proxmox VE 7

First, boot the system in the rescue kernel. I am assuming your boot partition is separated then the home partition, like in my case. Here are the list of commands I have used:

# mount /dev/md126 /mnt
# mount /dev/md127 /mnt/boot
# mount --bind /dev /mnt/dev
# mount --bind /dev/pts /mnt/dev/pts
# mount --bind /proc /mnt/proc
# mount --bind /sys /mnt/sys
# chroot /mnt
# passwd

Now, make sure to reset the password properly. Once done. Umount all the partition and boot in regular mode:

# umount /mnt/boot
# umount /mnt/sys
# umount /mnt/proc
# umount /mnt/dev/pts
# umount /mnt/dev
# umount /mnt
# reboot

It should be it.

How to mount raw (.img) images in Linux

You may have raw images in your system coming from some bare metal VM, like KVM/Vmware. You may mount them directly to the host machine without attaching them to a VM. To do so, you need two things:

  1. Partition to mount
  2. Sector size of the partition and the first position of the partition.

Both of these, can be derived using a command called fdisk with attribute l as the following:

[root@vps5 vpsextra]# fdisk -l mhdevelopment.img

Disk mhdevelopment.img: 268.4 GB, 268435456000 bytes, 524288000 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x000f1752

            Device Boot      Start         End      Blocks   Id  System
mhdevelopment.img1            2048   523241471   261619712   83  Linux
mhdevelopment.img2       523241472   524287999      523264   82  Linux swap / Solaris
You have new mail in /var/spool/mail/root
[root@vps5 vpsextra]#

Here, we are trying to mount an old image of mine, called ‘mhdevelopment.img. I would like to mount the partition that is not swap, which is namely ‘mhdevelopment.img2’ here. This partition starts from 2048 and the sector size is 512 bytes.

So to mount the partition, you can now use the following command:

sudo mount -o loop,offset=$((2048 * 512)) mhdevelopment.img /mnt

This will mount the the partition mhdevelopment.img1 to /mnt. If you want to change the mount destination, you may do this at the end in replace of /mnt to wherever you want this to be.

Happy shooting.

The GPG keys listed for the “MySQL 5.7 Community Server” repository are already installed but they are not correct for this package.

When you try to run yum update, you see an error like the following:

The GPG keys listed for the "MySQL 5.7 Community Server" repository are already installed but they are not correct for this package.

This is coming because the GPG key for Mysql 5.7 community repo has changed. To update the GPG key, you may run the following:

rpm --import https://repo.mysql.com/RPM-GPG-KEY-mysql-2022

This shall resolves the issue for you. Good luck.

How to Set Default Route Interface when there are multiple Interfaces in CentOS

Consider the following situation, you have two interfaces in your system, eth0, and eth1 (or more). Both the interfaces have a default gateway. But how can you choose which interface to follow as the default outbound requests by the server? This could be a situation like adding secondary alias IP addresses to an interface (Like eth0, eth0:0, eth0:1, eth0:2, etc).

In these cases, Linux can decide based on its own algorithm. The problem with this is in the case of Licensing. In most licensing systems these days, you need to provide an outbound IP address to your server. If this IP changes over time, you would have trouble managing the license. For these cases, you need to define your default interface to Linux.

You may set this configuration under /etc/sysconfig/network file. The ‘key’ for the settings is ‘GATEWAYDEV’.

So for example if your gatewaydev would be eth0:1, the file would look like something following:

NETWORKING=yes
HOSTNAME=hemonto.ethii.com
DOMAINNAME=ethii.com
GATEWAYDEV=eth0:1

or if it is eth1, the following:

NETWORKING=yes
HOSTNAME=hemonto.ethii.com
DOMAINNAME=ethii.com
GATEWAYDEV=eth1

I Hope, this helps somebody. Good luck

How to create Software RAID 1 on Fresh NVMe Drives in CentOS/RHEL

Let’s say, you just installed two NVMe drives. That means, you currently have the following devices on your system:

/dev/nvme0n1
/dev/nvme0n2

Now, to use Raid 1 on these devices, you need to first partition them. If your devices are less than 2TB, you can use label msdos with fdisk. But I prefer gpt with parted. I will partition the disks using parted.

Open the disk nvme0n1 using parted

parted /dev/nvme0n1

Now, set the label to gpt

mklabel gpt

Now, create the primary partition

mkpart primary 0TB 1.9TB

Assuming 1.9TB is the size of your drive.

Run the above process for nvme1n1 as well. This will create one partition on each device which would be like the following:

/dev/nvme0n1p1
/dev/nvme1n1p1

Now, you may create the raid, using mdadm command as follows:

mdadm --create /dev/md201 --level=mirror --raid-devices=2 /dev/nvme0n1p1 /dev/nvme1n1p1

If you see, mdadm command not found, then you can install mdadm using the following:

yum install mdadm -y

Once done, you may now see your raid using the following command:

[root@bd3 ~]# cat /proc/mdstat
Personalities : [raid1]
md301 : active raid1 sdd1[1] sdc1[0]
      976628736 blocks super 1.2 [2/2] [UU]
      bitmap: 0/8 pages [0KB], 65536KB chunk

md201 : active raid1 nvme1n1p1[1] nvme0n1p1[0]
      1875240960 blocks super 1.2 [2/2] [UU]
      bitmap: 2/14 pages [8KB], 65536KB chunk

md124 : active raid1 sda5[0] sdb5[1]
      1843209216 blocks super 1.2 [2/2] [UU]
      bitmap: 4/14 pages [16KB], 65536KB chunk

md125 : active raid1 sda2[0] sdb2[1]
      4193280 blocks super 1.2 [2/2] [UU]

md126 : active raid1 sdb3[1] sda3[0]
      1047552 blocks super 1.2 [2/2] [UU]
      bitmap: 0/1 pages [0KB], 65536KB chunk

md127 : active raid1 sda1[0] sdb1[1]
      104856576 blocks super 1.2 [2/2] [UU]
      bitmap: 1/1 pages [4KB], 65536KB chunk

unused devices: <none>

Here are a few key pieces of information about software raid:

  1. It is better not to use Raid 10 with software raid. In case the raid configuration is lost, it is hard to know which drives were set as stripe and which like a mirror by the mdadm. It is a better practice to use raid 1 as a rule of thumb with software raid.
  2. Raid 1 in mdadm doubles the read request in parallel. In raid 1, one request reads from one device, while the other request in parallel would read from the next device. This gives double read throughput when there is a parallel thread running. It still suffers from the write cost for writing data in two devices.

Unable to connect to any wifi with NetworkManager due to error: Secrets were required, but not provided

I was trying to connect to wifi from a CentOS 7 minimal installation using the following article:

But I started seeing the following error:

Unable to connect to any wifi with NetworkManager due to error: Secrets were required, but not provided

The reason the above error is showing is that NetworkManager is trying to reuse an existing connection, which shouldn’t happen. You need to delete the connection first.

nmcli con delete <SSID>

Now, you can connect with the following:

nmcli dev wifi connect <SSID> password <password>

Apache detected an error in the Rewrite config. httpd_ls_bak: Syntax error in -C/-c directive: Include/IncludeOptional: Could not open directory /usr/local/apache/conf.modules.d: No such file or directory Please try again. – Cpanel Error

You might see the following set of errors with Cpanel

When trying to remove the redirect from Cpanel

Apache detected an error in the Rewrite config. <pre>httpd_ls_bak: Syntax error in -C/-c directive: Include/IncludeOptional: Could not open directory /usr/local/apache/conf.modules.d: No such file or directory </pre> Please try again.

/scripts/rebuildhttpdconf generates an error like the following:

httpd: Syntax error in -C/-c directive: Include/IncludeOptional: Could not open directory /usr/local/apache/conf.modules.d: No such file or directory

Resolution

Previously, we reinstalled apache24 to solve the issue like the following:

yum reinstall ea-apache24

Although you may also reinstall the apache config runtime extension, that shall fix the issue as well.

rpm -e --nodeps --justdb ea-apache24-config-runtime.noarch
yum install ea-apache24-config-runtime.noarch

Now you may rebuild the httpd conf or remove the redirect from cpanel without any problem.

Unable to register authentication agent: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Cannot determine user of subject – Cyberpanel – CentOS 7

Error details:

After installing cyberpanel, you see the below error from shell when running any command:

** (pkttyagent:8559): WARNING **: 02:28:34.621: Unable to register authentication agent: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Cannot determine user of subject
Error registering authentication agent: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: Cannot determine user of subject (polkit-error-quark, 0)

Resolution:

The error is appearing because cybepranel adds the following line in your fstab:

proc    /proc        proc        defaults,hidepid=2    0 0

This is hiding the /proc from your shell that uses polkit. To fix this, keeping the above mount rule, you need to add a group for polkitd user and assign that group to to access /proc. You may do this using the following:

groupadd nohideproc
usermod -a -G nohideproc polkitd
mount -o remount,rw,hidepid=2,gid=nohideproc /proc
systemctl restart polkit
systemctl restart polkit (do this twice)

Once done, you may edit your fstab, and comment the old line, add the following line:

# Edit your fstab:
nano /etc/fstab

# comment the following line :
from : proc    /proc        proc        defaults,hidepid=2    0 0
to : # proc    /proc        proc        defaults,hidepid=2    0 0

# add the following line
proc /proc proc defaults,hidepid=2,gid=nohidproc 0 0

Good luck.

How to measure the sequential write/read speed of a Hard Disk or SSD?

Question: How to measure the sequential write speed of a hard disk or SSD?

Answer

We may use two ways. The most popular one is to use dd tools. For hard disks, we may not avoid using cache to measure the disk performance. As sequential writes can write the data to the cache, which is basically a DRAM and can perform excessively fast masking the original speed of the HDD. Let’s check how can we measure the HDD speed using dd bypassing HDD write cache:

dd if=/dev/zero of=/hddvz/testfile.img bs=1G count=1 oflag=direct

/hddvz is my HDD mount, oflag=direct instruct the dd to confirm writes to the disk, not just the cache before saying the write is completed.

If it’s a good quality hard disk alone or soft raid 1, you can get speed up to 157-161MBps:

[root@bd3 ~]# dd if=/dev/zero of=/hddvz/testfile.img bs=1G count=1 oflag=direct
1+0 records in
1+0 records out
1073741824 bytes (1.1 GB) copied, 6.82675 s, 157 MB/s
[root@bd3 ~]#

With a good hardware raid controller and raid 10, you may be able to reach rates like 320MBps.

There is something to remember, software raid mdadm is able to read simultaneously from two disks. You may have the evidence, with two dd one by one, both in background as following:

[root@bd3 ~]# dd if=/dev/zero of=/hddvz/testfile.img bs=1G count=1 oflag=direct &
[1] 12039
[root@bd3 ~]# dd if=/dev/zero of=/hddvz/testfile1.img bs=1G count=1 oflag=direct &
[2] 12040
[root@bd3 ~]# 1+0 records in
1+0 records out
1073741824 bytes (1.1 GB) copied, 11.1064 s, 96.7 MB/s
1+0 records in
1+0 records out
1073741824 bytes (1.1 GB) copied, 10.7155 s, 100 MB/s

[1]-  Done                    dd if=/dev/zero of=/hddvz/testfile.img bs=1G count=1 oflag=direct
[2]+  Done                    dd if=/dev/zero of=/hddvz/testfile1.img bs=1G count=1 oflag=direct

As you can see, both the request was able to reach 100MBps roughly while running in parallel.

Testing Read Speed Using hdparm

To check the read speed, you may use hdparm like the following:

[root@bd3 ~]# hdparm -Tt /dev/sda

/dev/sda:
 Timing cached reads:   40444 MB in  1.99 seconds = 20365.12 MB/sec
 Timing buffered disk reads: 396 MB in  3.06 seconds = 129.43 MB/sec
[root@bd3 ~]# hdparm -Tt /dev/sdb

/dev/sdb:
 Timing cached reads:   41006 MB in  1.99 seconds = 20649.43 MB/sec
 Timing buffered disk reads: 562 MB in  3.01 seconds = 186.81 MB/sec
[root@bd3 ~]#