Re: [CentOS] Microsoft deprecation of basic authentication centos 7

[Alexander Dalloz]

Am 14.10.2022 um 18:31 schrieb Jerry Geis:

Hi All

I have a server out there running centos 7.
I installed fetchmail to monitor an email inbox - has worked for years.
Microsoft deprecated basic authentication so fetchmail is not working any
more.


[ ... ]


Thanks!

Jerry


Use getmail instead.

A quick search brought up

https://www3.isi.edu/~johnh/OTHER/LINUX/OAUTH2/index.html

Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] New Server and noticing these maillog postfix entries: What to do about them?

[Alexander Dalloz]

Am 21.11.2021 um 22:36 schrieb Jay Hart:

[ ... ]


[root@dream spamassassin]# postconf -n |grep milter
milter_default_action = accept
milter_protocol = 6
non_smtpd_milters = $smtpd_milters
smtpd_milters = unix:/run/spamass-milter/spamass-milter.sock


Ok. I expect you have specified the spamass-milter by purpose.


[root@dream spamassassin]# ls -al /var/run/spamass-milter/spamass-milter.sock
srwxr-xr-x. 1 sa-milt sa-milt 0 Nov 20 23:28 
/var/run/spamass-milter/spamass-milter.sock

Two things:
1. should the 'smtpd_milters' path be /var/run... vice unix:/run...


You know that there are unix sockets and tcp sockets? "unix:/path" just 
declares a unix type socket within the main.cf.



2. I just noticed I have two spamass-milter sockets running:

[root@dream spamass-milter]# ls -al /var/run/spamass-milter/spamass-milter.sock
srwxr-xr-x. 1 sa-milt sa-milt 0 Nov 20 23:28 
/var/run/spamass-milter/spamass-milter.sock

[root@dream spamass-milter]# ls -al /run/spamass-milter/spamass-milter.sock
srwxr-xr-x. 1 sa-milt sa-milt 0 Nov 20 23:28 
/run/spamass-milter/spamass-milter.sock


It shouldn't be new to you that /var/run is a symlink to /run. So you 
don't have to distinguish sockets.


You haven't checked the whole path permissions up to the socket.

namei -lv /run/spamass-milter/spamass-milter.sock

Postfix must be able to reach the unix socket file. One way to achieve 
that is putting the postfix user in the sa-milt group.
Or configure the spamass milter to provide a tcp socket and attach to 
that one within Postfix. Thus you would not have to care for path and 
file permissions.



[root@dream share]# ss -l |grep spam
u_str LISTEN 0  128  
/run/spamass-milter/spamass-milter.sock 185043

[root@dream share]# ss -pl |grep spam
u_str LISTEN 0  128   
/run/spamass-milter/spamass-milter.sock 185043* 0
users:(("spamass-milter",pid=16657,fd=4))
u_dgr UNCONN 0  0   
* 198745 * 14567
users:(("spamd child",pid=17925,fd=4),("spamd 
child",pid=17924,fd=4),("spamd",pid=17891,fd=4))
u_dgr UNCONN 0  0   
* 185042 * 14567
users:(("spamass-milter",pid=16657,fd=3))
tcp   LISTEN 0  128 
  127.0.0.1:783  0.0.0.0:*
users:(("spamd child",pid=17925,fd=6),("spamd 
child",pid=17924,fd=6),("spamd",pid=17891,fd=6))
tcp   LISTEN 0  128 
  [::1]:783 [::]:*
users:(("spamd child",pid=17925,fd=5),("spamd 
child",pid=17924,fd=5),("spamd",pid=17891,fd=5))

Been hunting around in the configs trying to determine why I got two processes 
running...Still looking into this.

Thanks,

Jay


Alexander


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] New Server and noticing these maillog postfix entries: What to do about them?

[Alexander Dalloz]

Am 21.11.2021 um 19:54 schrieb Jay Hart:

I just stood up a new server running C8 stream, postfix, SA, etc.

I keep seeing these log entries in maillog and wonder what to about them. I 
have not been able to find any research documents detailing if
this is a problem nor how to prevent.  Any documentation I have seen via web 
searches talks about configuration issues with
spamass-milter.  This to me looks like hackers.  I get the same four lines over 
and over again from different IP addresses and the
pid/socket/id number (26579 in this instance) are always linked.  The number is 
different for each query/probe.


The issue has nothing to do with what you call "hackers". The cause is a 
misconfiguration on your side: take the error message literal. You have 
Postfix configured to make use of the spamass milter, everytime another 
system connects to the smtp daemon.



Nov 21 11:56:57 dream postfix/smtpd[26579]: connect from unknown[141.98.10.140]
Nov 21 11:56:57 dream postfix/smtpd[26579]: warning: connect to Milter service 
unix:/run/spamass-milter/spamass-milter.sock: Permission
denied
Nov 21 11:56:57 dream postfix/smtpd[26579]: discarding EHLO keywords: CHUNKING
Nov 21 11:56:57 dream postfix/smtpd[26579]: disconnect from 
unknown[141.98.10.140] ehlo=1 auth=0/1 quit=1 commands=2/3

What can I try to do to eliminate this?  Other than taking up resources I'm not 
seeing anything else in the logs to show a problem.
Should I be concerned?

Research has now shown that Redhat/Centos may have changed the default postfix 
setting.  I do see the following parameter set:
smtpd_discard_ehlo_keywords = chunking


You are totally on the wrong track.


Sounds like I need to add/set this as 'silent-discard' pseudo keyword to 
prevent this action from being logged.


Wrong.


Thanks in advance on your help and advice!


Run "postconf -n" and see where you have defined the spamass milter.
Check whether the spamass milter is really running and that the socket 
is available under /run/spamass-milter/spamass-milter.sock. Given it is 
bacause the milter runs and has created its socket under that path, 
check the permissions (unix permissions and SELinux context) of the 
socket and the full path.

Once the root cause is fixed your Postfix will work again as configured.


Jay


Alexander


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Postfix and virtual mail boxes.

[Alexander Dalloz]

Am 07.10.2021 um 15:06 schrieb Gionatan Danti:

Il 2021-10-07 12:40 Rob Kampen ha scritto:

mydestination = localhost localhost.localdomain
mydomain = example.org
myhostname = mx.example.org
mynetworks = 127.0.0.0/8, [::1]/128


Not that I expect it to be the cause, but you need a coma between 
"localhost" and "localhost.localdomain" in mydestination.


That's simply wrong!

http://www.postfix.org/postconf.5.html#mydestination

"Specify a list of host or domain names, "/file/name" or "type:table" 
patterns, separated by commas and/or whitespace."



I had originally only used "postconf -n" as it is MUCH smaller than
postconf , however it still shows no material differences.


Yeah, it seem the config are very similar (with the exception of 
virtual_alias_maps, which you explained).

Regards.


Alexander


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] pam_mysql

[Alexander Dalloz]

Am 16.05.2021 um 16:42 schrieb Emmett Culley via CentOS:
I am attempting to create a multiple domain email server using postfix 
and cyrus-imap on CentOS Stream 8.  It will includes a web back end 
similar to cyradm.


Now I am stuck on mysql or mariadb support for pam.  I am not able to 
find a pam_mysql rpm that will install on CentOS 8.


[ ... ]

cyrus-sasl provides the sql auxprop mechanism, which I would prefer over 
pam_mysql.


https://blog.sys4.de/cyrus-sasl-sql-man-page-en.html

Regards,
Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Apache shows PHP code instead of executing it

[Alexander Dalloz]

Am 06.01.2021 um 19:10 schrieb Kaushal Shriyan:

On Wed, Jan 6, 2021 at 9:48 PM Christopher Wensink <
cwens...@five-star-plastics.com> wrote:


Does the file have execute permissions, what is the file's permissions
and is it owned by the user running apache?

Chris


Hi Chris,

I have added the below in /etc/httpd/conf/httpd.conf. The issue still
persists.


SetHandler application/x-httpd-php


#apachectl -M | grep -i PHP does not return anything


Configure php-fpm.

https://www.stephenrlang.com/2018/02/centos-7-apache-2-4-with-php-fpm/

might help to find the right path to do so.

Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Iptables rules not working

[Alexander Dalloz]

Am 16.07.2020 um 17:48 schrieb Kaushal Shriyan:

Hi,

I am running CentOS Linux release 8.2.2004 (Core) on a remote server. I am
running the below iptables command to allow SSH port 22 from a specific
source IP 219.91.200.59

iptables -A INPUT -m tcp -p tcp -s 219.91.200.59 --dport 22 -j ACCEPT

service iptables save



The above iptables ruleset is not working and I am still able to connect
from the internet to SSH port 22. I look forward to hearing from you and
thanks in advance.

Best Regards,

Kaushal


Please consult the documentation to understand how to use the firewall 
on CentOS 8:


https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/securing_networks/index#using-and-configuring-firewalld_securing-networks

In short: you are doing it wrong in multiple dimensions.

Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] disk on vm with kvm

[Alexander Dalloz]

Am 03.07.2020 um 18:54 schrieb Rick Gutierrez:

hi list, i am trying to change the input and output scheduler on my
disks, and it does not allow me ,
I have several virtualized vm over kvm, and when I try to make the
change it shows me this message:

echo "noop" > /sys/block/vda/queue/scheduler

-bash: echo: write error: Invalid argument

kernel version:

3.10.0-1127.13.1.el7.x86_64

any idea?


I would guess that the scheduler "noop" isn't available, thus that 
specific error message.


On my physical Server CentOS 7 with latest kernel:

# cat /sys/block/nvme0n1/queue/scheduler
[none] mq-deadline kyber

The KVM VM on that host, too CentOS 7 with latest kernel:

# cat /sys/block/vda/queue/scheduler
[mq-deadline] kyber none


Alexander



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] php 5.6 on CentOS 6

[Alexander Dalloz]

Am 21.06.2020 um 20:30 schrieb H:

I am in the process of moving various apps and data off a CentOS 6 server to a 
new server running CentOS 7. As part of the migration process I need to upgrade 
an app and corresponding data files which requires php 5.6. I do have php 5.5 
(and 5.4) installed since earlier but now tried to install php 5.6 from SCL 
which failed.

This is the package I tried:

https://www.softwarecollections.org/en/scls/rhscl/rh-php56/

but the error message is that there is no package 5.6. Is this correct and what 
would the recommended procedure then be since I do need 5.6 for this. Use 
Remi's collection or something else? I was hoping SCL would have it since it is 
well-tried and easy to sandbox on the computer.

Thank you.

H


PHP 5.6 is EOL. https://www.php.net/supported-versions.php

Why would a project like SCL spend any efford on patching that old PHP 
release? Everyone using PHP is happy to get a current release. If your 
application insists on using 5.6 then move on and look for a different 
application.


Alexander




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] About support for AMD ROME CPUs

[Alexander Dalloz]

Am 21.06.2020 um 17:35 schrieb 肖正刚:

Hi, all

We use AMD Rome CPUs, like EPYC 7452.
RHEL said that RHEL 7.6.6 began to support these cpus(detials:
https://access.redhat.com/support/policy/amd)
, but we found that  CentOS7.6 with kernel 3.10.0-957.21.3.el7.x86_64 also
works fine.
So, my questions are:
1) Is there any place that i can find the cpu support info?
2) Dose the kernel 3.10.0-957.21.3.el7.x86_64 from CentOS7.6 already
contains changes made by kernel 3.10.0-957.27.2.el7 from RHEL7.6?
3) Does the kernel update has a release note or something like that and
where to find ?

Any suggestions will help !
Thanks


Why do you care for an obsoleted minor release?

Alexander


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Installing owncloud on CentOS 7 server

[Alexander Dalloz]

Am 19.06.2020 um 20:08 schrieb H:

For external access? I have some other webapps installed in /var/www, ie at the 
same level as html, and then multiple websites under /var/www/html so I would 
like to stick with that tree.


I don't understand that question. Yes, for web service offerings under 
your domain to the public.


You can do what you want. But if you install through the package manager 
keep the packages healthy. There is no need to move the content around. 
You should be familier with "DocumentRoot" and "Alias" instructions for 
Apache. Nginx can serve from there as well.


SELinux should know too.

# semanage fcontext -l | grep /usr/share | grep httpd

Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Installing owncloud on CentOS 7 server

[Alexander Dalloz]

Am 19.06.2020 um 17:28 schrieb H:



Thank you, it installed to /usr/share, not what I expected. I may go with 
nextcloud instead, though.



What's wrong with /usr/share/? It is a valid path and used by many web 
applications provided with or for EL systems.


Alexander


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Installing owncloud on CentOS 7 server

[Alexander Dalloz]

Am 19.06.2020 um 01:08 schrieb H:

I transitioning an owncloud installation from a C6 server to a new C7 server 
and used yum install owncloud to install it on the C7 server. I expected 
/var/www/owncloud to be generated but alas not. Quick Googling just showed 
examples of installing from the latest owncloud repository but not using yum.

Have I missed something obvious when using yum to install?


rpm -qlv 

shows you what you have installed into which locations on the system. 
Would have answered your question wihout googling from random resources.


Alexander


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Can't access Squirrelmail on Centos 8

[Alexander Dalloz]

Am 18.06.2020 um 23:44 schrieb Jay Hart:

I turned on

httpd_can_network_connect --> on
httpd_can_sendmail --> on

I restarted httpd.


Log file:
[Thu Jun 18 17:08:31.160897 2020] [authz_core:error] [pid 10427:tid 
140567258310400] [client 10.20.30.61:34096] AH01630: client denied
by server configuration: /usr/share/squirrelmail/src/login.php


Jay,

the SELinux booleans are not the reason for your issue. See the error 
message, it should give you a clue: the authz_core element is spitting 
that out, that's a part of apache itself.


https://cwiki.apache.org/confluence/display/HTTPD/ClientDeniedByServerConfiguration

If you google search for "AH01630: client denied by server 
configuration:" you will get a confirmation what that error means and 
for what to look at in your apache configuration.


Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Can't access Squirrelmail on Centos 8

[Alexander Dalloz]

Am 18.06.2020 um 23:18 schrieb Jay Hart:

Am 18.06.2020 um 22:37 schrieb Jay Hart:

On Thu, 18 Jun 2020 16:11:01 -0400
Jay Hart wrote:


Any suggestions

selinux issue?

I turned the firewall off and tried to access /webmail and the configtest file, 
Turning off the firewall resulted in same issue.


Frank was hinting to SELinux preventing access. A valid guess,
especially as you have installed the webapp in a very uncommon path
where default SELinux does know nothing about. So check the audit.log
for AVC or use ausearch.

And of course check the webserver's logfile. Always the logs! They have
the neccessary information your need to debug your situation.

Alexander


I enabled both those options. tried to access again, same issue.


Sorry, which 2 options did you enable?


Log file:
[Thu Jun 18 17:08:31.160897 2020] [authz_core:error] [pid 10427:tid 
140567258310400] [client 10.20.30.61:34096] AH01630: client denied by
server configuration: /usr/share/squirrelmail/src/login.php


So here you get the information about what needs to be corrected. Please 
look closely at your apache configuration as you are forbidding access 
by your active settings.



After changing those options, do I need to restart service[s], or reboot?


As much as you have setup your webmail in a config file like 
16-squirrelmail.conf you will of course have to restart or reload the 
service. A reboot is never needed for such kind of change.


Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Can't access Squirrelmail on Centos 8

[Alexander Dalloz]

Am 18.06.2020 um 22:37 schrieb Jay Hart:

On Thu, 18 Jun 2020 16:11:01 -0400
Jay Hart wrote:


Any suggestions

selinux issue?

I turned the firewall off and tried to access /webmail and the configtest file, 
Turning off the firewall resulted in same issue.


Frank was hinting to SELinux preventing access. A valid guess, 
especially as you have installed the webapp in a very uncommon path 
where default SELinux does know nothing about. So check the audit.log 
for AVC or use ausearch.


And of course check the webserver's logfile. Always the logs! They have 
the neccessary information your need to debug your situation.


Alexander



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Postfix restrictions

[Alexander Dalloz]

Am 07.06.2020 um 11:46 schrieb Nicolas Kovacs:

Hi,

I'm currently fine-tuning my mail server (Postfix and Dovecot on CentOS 7).

SPF, DKIM and DMARC work fine, now I'd like to limit the spam tsunami.

Besides the official Postfix documentation, I've read a few articles about
Postfix spam restrictions, namely these :

https://www.linuxbabe.com/mail-server/block-email-spam-postfix

https://wiki.centos.org/HowTos/postfix_restrictions

After some experimenting, here's what I currently have on my test server:

--8<- /etc/postfix/main.cf -
...
smtpd_helo_required = yes
smtpd_helo_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   check_helo_access hash:/etc/postfix/helo_access
   reject_invalid_helo_hostname,
   reject_non_fqdn_helo_hostname,
   reject_unknown_helo_hostname
smtpd_sender_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   check_sender_access hash:/etc/postfix/sender_access,
   reject_unknown_sender_domain,
   reject_unknown_reverse_client_hostname,
   reject_unknown_client_hostname
smtpd_recipient_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   check_client_access hash:/etc/postfix/rbl_override,
   reject_rhsbl_helo dbl.spamhaus.org,
   reject_rhsbl_reverse_client dbl.spamhaus.org,
   reject_rhsbl_sender dbl.spamhaus.org,
   reject_rbl_client zen.spamhaus.org
--8<

Before committing this configuration to my main server, I thought I'd share
this configuration on the list. Maybe the Postfix gurus among you have the odd
comment to make.

My aim is simply to eliminate as much spam as possible (that is, before adding
SpamAssassin) while keeping false positives to a minimum.

Any suggestions ?

Niki



Hi,

a few points:

- don't split up the smtpd_*_restrictions as shown above. It is simpler 
to maintain by keeping everything under smtpd_recipient_restrictions.


- use postscreen, it is a Postfix feature. That way relocate the RBL and 
RHSBL calls to postscreen in a weighted approach


- don't offer SMTP AUTH on smtp port 25. Offer submission (port 587) or 
submissions (465) or both for your known clients. That way you can much 
better control what's allowed on port 25.


- reject_non_fqdn_helo_hostname could lead to reject valid mail, use 
warn_if_reject for some time to check if that would be relevant for you.


- don't make use of permit_mynetworks, control relaying by use of SMTP AUTH.

Alexander
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bridge network for virt-manager

[Alexander Dalloz]

Am 02.06.2020 um 12:38 schrieb Jerry Geis:

Hello. I desire to get bridge network working using virt-manager.
Centos 7 and centos 7 guest.

 From researching I think I need to have a ifcfg-br0 file like this ?

cat ifcfg-br0
DEVICE=nm-bridge0
STP=no
TYPE=Bridge
BOOTPROTO=none
IPADDR=192.168.1.8
PREFIX=32
GATEWAY=192.168.1.1
IPV6INIT=no
NAME=br0
ONBOOT=yes
DELAY=0

Is that for sure needed ? The use that nm-bridge0 as the network name?

I dont want to mess up my current setup.
Thanks,

Jerry


Use the virt-manager to create the desired bridge. It will end under 
/etc/libvirt/qemu/networks/. And there probably exists already a


# cat /etc/libvirt/qemu/networks/default.xml



  default
  79d01cb2-28a4-4bdc-8b68-80ac588b2d61
  
  
  
  

  

  


Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] user names

[Alexander Dalloz]

Am 01.06.2020 um 19:44 schrieb Jerry Geis:

I am looking for a way for sendmail to ALLOW auth by IP and not user name
(its a closed network) or even SKIP invalid auth ?
Is that even possible ?


It is possible to configure Sendmail to relay based on client 
connection. The doc will tell you how.


https://www.sendmail.org/~ca/email/doc8.12/cf/m4/anti_spam.html#access_db

If your Sendmail setup demands AUTH, then it will not skip in case of 
false credentials.


Whatever backend you configure cyrus-sasl to use for validating the SMTP 
AUTH credentials, it is possible to use other values than a user name.



Jerry


Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] INITRD_MODULES

[Alexander Dalloz]

Am 29.04.2020 um 22:07 schrieb Jerry Geis:

Sure - I'm game. I didn't know to run dracut directly I guess (never done
it).
What is the command for that on CentOS 7.
dracut 

Jerry



man dracut

Alexander
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] INITRD_MODULES

[Alexander Dalloz]

Am 29.04.2020 um 21:48 schrieb Jerry Geis:

I am trying to take a CentOS 7 img and get hyperv to boot.

First step.
qemu-img convert "CentOS7.img" -O vhdx -o subformat=dynamic "CentOS7.vhdx"

after adding new hyper-v I get dracut-timeout...
So doing some searching it says add hv_vmbus hv_netvsc hv_storvsc to
INITRD_MODULES.

which doesnt really exist any more in CentOS 7.

I did find /etc/dracut.conf and add_drivers...
I uncommented the line for '#add_drivers += "" ' added the above modules
and then ran:
grub2-mkconfig -o /boot/grub2/grub.cfg


Why didn't you run dracut to create the new initramfs image file?


Then redid the convert above... Hyper-V still gives me dracut-timeout
errors.

Thoughts ? Did I miss something ?

Thanks

Jerry


Alexander


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Sendmail not working

[Alexander Dalloz]

Am 19.04.2020 um 18:28 schrieb S.Bob:


I installed sendmail via yum, but if I test it like this:


echo "Subject: sendmail test" | sendmail s...@quadratum-braccas.com


I get a local mail on the server with this every time:


[  ... ]

Hi,

your provided sendmail.mc shows that you have done zero customization. 
So please let me ask: do you have experience to setup and operate an MTA 
and especially Sendmail?


I am asking because that's not trivial and as you cannot judge about the 
error you are getting implies that you lack essential information. It is 
ok not to know how to run an MTA, but then you shouldn't.


At least you should configure Sendmail as a null-client. Do as Jason 
wrote and configure the SMART_HOST of your ISP. Take care for proper `' 
as those appear wrong in Jason's post. And make sure that the 
sendmail-cf package is installed so that the sendmail.cf can be rebuild 
after sendmail.mc customizations.


Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Netfilter fails to filter traffic from a netblock?

[Alexander Dalloz]

Am 19.04.2020 um 14:58 schrieb Jeffrey Walton:

The offending host is 59.64.129.175. To err on the side of caution we
attempted to block the entire netblock. According to whois data,
that's 59.64.128.0-59.64.159.255.

 iptables -A INPUT -s 59.64.128.0/19 -p TCP -j DROP


There was no comment so far that the order of the iptables rules 
matters. With your command you append to the existing rules. If would be 
without effect in case there is a rule in order before which permits the 
traffic you try to block.



After reboot cpu usage is still high and access_log still shows
useless requests from the host:

 59.64.129.175 - - [19/Apr/2020:08:53:53 -0400] "GET
 /w/index.php?title=Special:WhatLinksHere=50&
 printable=yes HTTP/1.1" 301 311

I seem to be missing something. That's not surprising since I am not a
server administrator.

How do I filter the unwanted traffic from the netblock?


The iptables rules should be saved in /etc/sysconfig/iptables to be read 
in at boot time (or when the iptables services gets restarted).


Alexander
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 8 and xhost

[Alexander Dalloz]

Am 20.04.2020 um 04:10 schrieb Jerry Geis:

I found it...
https://www.tecmint.com/configure-xorg-as-default-gnome-session/


Care to fix your system time? Actually your postings date from 
20.04.2020 while it is still 19.04.


The post I am replying to has

Date: Sun, 19 Apr 2020 19:10:47 -0700

in the header.

Alexander


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Upgrade from Centos 7 to Centos 8

[Alexander Dalloz]

Am 08.04.2020 um 17:50 schrieb Stefano Simonucci:

Does anyone know how to upgrade?

Thanks

Stefano


There is no supported way to run an inplace upgrade. Backup your data 
and run a fresh install.


Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] fail2ban ban not working

[Alexander Dalloz]

Am 07.04.2020 um 10:54 schrieb Gary Stainburn:

2020-04-07 09:42:06,981 fail2ban.utils  [16138]: ERROR   7ff736d6f930 
-- exec: ipset create f2b-dovecot hash:ip timeout 360

[ ... ]

2020-04-07 09:42:06,982 fail2ban.utils  [16138]: ERROR   7ff736d6f930 -- stderr: 
"ipset v7.1: Syntax error: '360' is out of range 0-2147483"


Set the timeout to a valid value within in named range.

Alexander
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 7 host with guests as bridge cannot access host

[Alexander Dalloz]

Am 02.04.2020 um 16:10 schrieb Jerry Geis:

This is unfortunate.
https://wiki.libvirt.org/page/TroubleshootMacvtapHostFail

To the "normal" user - BRIDGE means guest is on the same network and has
access to the host.

Bummer.

Jerry


You were not telling us that you were using Macvtap.

Alexander



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 7 host with guests as bridge cannot access host

[Alexander Dalloz]

Am 01.04.2020 um 22:07 schrieb Alexander Dalloz:

So looks like my IPTables is not correct.

What commands do you run for that ?


Simply firewalld. Docker acts by itself.


Sorry, have to correct myself. Had to much to do today on OpenShift.
There is no Docker involved in what we discuss. The firewall rules for 
the host bridge devices get created by libvirtd.


Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 7 host with guests as bridge cannot access host

[Alexander Dalloz]

Am 01.04.2020 um 21:56 schrieb Jerry Geis:

Thanks for the info.

brctl show virbr0
bridge name bridge id   STP enabled interfaces
virbr0  8000.525400fc34af   yes virbr0-nic

brctl show virbr1
bridge name bridge id   STP enabled interfaces
virbr1  8000.5254009c3902   yes virbr1-nic


Why is no VM started?


ip a s virbr0
3: virbr0:  mtu 1500 qdisc noqueue state
DOWN group default qlen 1000
 link/ether 52:54:00:fc:34:af brd ff:ff:ff:ff:ff:ff
 inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever

ip a s virbr1
5: virbr1:  mtu 1500 qdisc noqueue state
DOWN group default qlen 1000
 link/ether 52:54:00:9c:39:02 brd ff:ff:ff:ff:ff:ff
 inet 192.168.100.1/24 brd 192.168.100.255 scope global virbr1
valid_lft forever preferred_lft forever

  cat /proc/sys/net/ipv4/ip_forward
1

  iptables -L FORWARD -v -n | egrep '(policy|virbr1)'
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

iptables -L FORWARD -v -n | egrep '(policy|virbr0)'
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)


Is that different when the VMs are up?


So looks like my IPTables is not correct.

What commands do you run for that ?


Simply firewalld. Docker acts by itself.


Thanks,

Jerry


Alexander


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 7 host with guests as bridge cannot access host

[Alexander Dalloz]

Am 01.04.2020 um 14:53 schrieb Jerry Geis:

I have CentOS 7 host. Two guests on bridge network setup by GUI and
virt-manager.
1 CentOS 8 guest
1 Win 10 guest
Both cannot access the host. They can other machines on the network. Guests
can access the internet just not the host.

I used virt-manager GUi to set up everything. Selected the eth0:macvtap and
Bridge.
I "desire" bridge network.

If I select something else I get access to host - but of course machine is
not on the main network.

Thoughts ?

Jerry


WORKSFORME

What have you checked so far?

On the host:

# brctl show virbr1
bridge name bridge id   STP enabled interfaces
virbr1  8000.525400698fd5   yes virbr1-nic
vnet0
vnet1
vnet2
vnet3
vnet4
vnet5


# ip a s virbr1
3: virbr1:  mtu 1500 qdisc noqueue 
state UP group default qlen 1000

link/ether 52:54:0069:8f:d5 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.1/24 brd 192.168.10.255 scope global virbr1
   valid_lft forever preferred_lft forever

# cat /proc/sys/net/ipv4/ip_forward
1

# iptables -L FORWARD -v -n | egrep '(policy|virbr1)'
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
20337   14M ACCEPT all  --  eno1   virbr1  0.0.0.0/0 
192.168.10.0/24  ctstate RELATED,ESTABLISHED
29512 3243K ACCEPT all  --  virbr1 eno1192.168.10.0/24 
0.0.0.0/0
0 0 ACCEPT all  --  virbr1 virbr1  0.0.0.0/0 
0.0.0.0/0
0 0 REJECT all  --  *  virbr1  0.0.0.0/0 
0.0.0.0/0reject-with icmp-port-unreachable
0 0 REJECT all  --  virbr1 *   0.0.0.0/0 
0.0.0.0/0reject-with icmp-port-unreachable


Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 8 Postfix & Cyrus

[Alexander Dalloz]

Am 24.02.2020 um 00:37 schrieb Gregory P. Ennis:

Everyone,

I have had two e-mail servers running, one with Centos 6 and the other with 
Centos 7 using
sendmail, dovecot, spamassassin, clamd, and cclamav-milter without hardly any 
problems
after the initial setup.  My expertise should be considered not much more than 
beginner or
early intermediate.

I would like to create a hypervisor with Centos 8 and run a guest Centos 8 with 
postfix and
cyrus. I already have a guest Centos 8 on a Centos 7 hypervisor, and have had 
difficulty
getting cyrus to work.

Can anyone refer me to a tutorial on how to get postfix and cyrus to work on 
centos 8.
Everyone seems to imply that postfix is much easier to use, but so far I have 
not been able
to pass the low end of the learning curve.  Best recommendations for a tutorial 
is what I
would like to have.

Thanks much

Greg Ennis


Attention Greg, so-called tutorials do not tell you what you need to 
know about Postfix. Consult the original Postfix documentation.


Configure Postfix to us relay_transport for the hosted mail domains 
feeding Cyrus-IMAPd on LMTP. And make sure you define proper 
relay_recipient_maps (or virtual_alias_maps).


relay_domains = example.org
relay_transport = lmtp:inet:[1.2.3.4]:24

http://www.postfix.org/postconf.5.html

Alexander
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Encrypted container on CentOS VPS

[Alexander Dalloz]

Am 16.02.2020 um 16:18 schrieb H:

I wonder if it is possible to set up an encrypted "file container" on a CentOS 
VPS? I am the root user of the VPS but the hosting company also has access to the VPS and 
thus all files. Is it possible to create a LUKS-container on the VPS and those files only 
be accessible by me? IOW, most of the file system on the VPS would be regular file system 
but the container could be used by me as needed. This would allow the VPS to reboot 
normally, I could ssh in normally etc etc. I would rsync files as needed to this 
LUKS-container though.



Sounds like you want a transparent client-side encryption solution. For 
instance


https://cryptomator.org/
https://github.com/cryptomator/cryptomator

Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 7 : network interface renamed from eth0 to eth1 after reboot

[Alexander Dalloz]

Am 09.02.2020 um 16:14 schrieb Nicolas Kovacs:

Le 09/02/2020 à 14:10, Nicolas Kovacs a écrit :

Any suggestions ?


I forgot to add. The onboard NIC is a Broadcom card.

$ lspci | grep -i net
02:02.0 Ethernet controller: Realtek Semiconductor Co., Ltd. 
RTL-8100/8101L/8139 PCI Fast Ethernet Adapter (rev 10)
02:09.0 Ethernet controller: Broadcom Inc. and subsidiaries BCM4401-B0 
100Base-TX (rev 02)


This card gets randomly renamed to either eth0 or eth1 after every reboot.

This is weird.



https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/networking_guide/sec-Troubleshooting_Network_Device_Naming

Example 11.4

"Kernel always uses the ethX naming convention at boot when it 
enumerates network devices. Due to parallelization, the order of the 
kernel interface enumeration is expected to vary across reboots."


Alexander


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] ls permissions format changed in CentOS 8

[Alexander Dalloz]

Am 25.10.2019 um 23:44 schrieb Kenneth Porter:
When I use "ls -al" on a directory, for files with only owner read/write 
permission, the displayed attributes are "-rw-", not "-rw---". That 
means the file names don't line up with other files in the directory, 
which makes the listing harder to read. What changed where and how do I 
fix that?


Hm?

[adalloz@centos8 ~]$ touch foo
[adalloz@centos8 ~]$ chmod u=rw,go= foo
[adalloz@centos8 ~]$ ls -Al
insgesamt 12
-rw-r--r--. 1 adalloz adalloz  18 11. Mai 02:16 .bash_logout
-rw-r--r--. 1 adalloz adalloz 141 11. Mai 02:16 .bash_profile
-rw-r--r--. 1 adalloz adalloz 312 11. Mai 02:16 .bashrc
-rw---. 1 adalloz adalloz   0 26. Okt 00:02 foo
[adalloz@centos8 ~]$ LANG=C stat foo
  File: foo
  Size: 0   Blocks: 0  IO Block: 4096   regular 
empty file

Device: fd02h/64770dInode: 788575  Links: 1
Access: (0600/-rw---)  Uid: ( 1000/ adalloz)   Gid: ( 1000/ adalloz)
Context: unconfined_u:object_r:user_home_t:s0
Access: 2019-10-26 00:02:37.707079231 +0200
Modify: 2019-10-26 00:02:37.707079231 +0200
Change: 2019-10-26 00:04:26.920196480 +0200
 Birth: -


Not sure what you were doing.

Alexander



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Fwd: openvswitch package

[Alexander Dalloz]

Am 24.10.2019 um 18:50 schrieb William Szumski:

What happened to the openvswitch package on centos 7? It no longer seems to
be in the standard repositories.



Pardon, which "standard repositories"? To my knowledge openvswitch has 
always been part if the Cloud SIG efforts and I still see it at


http://mirror.centos.org/centos-7/7/cloud/x86_64/openstack-train/openvswitch-2.11.0-4.el7.x86_64.rpm

Alexander


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 8 redis install

[Alexander Dalloz]

Am 13.10.2019 um 13:17 schrieb Günther J. Niederwimmer:

Hello,

can any help me to install redis to my new webserver?

I cant't enable the redis module with dnf ?

Is redis missing on Centos 8 ?

is it a way to download redis from a centos Server for manual install

Thanks for a answer ?


[root@centos8 ~]# LANG=C dnf search redis
=== Name 
Exactly Matched: redis 
===

redis.x86_64 : A persistent key-value database
== Summary & 
Name Matched: redis 
==


[root@centos8 ~]# LANG=C dnf info redis
Available Packages
Name : redis
Version  : 5.0.3
Release  : 1.module_el8.0.0+6+ab019c03
Arch : x86_64
Size : 927 k
Source   : redis-5.0.3-1.module_el8.0.0+6+ab019c03.src.rpm
Repo : AppStream
Summary  : A persistent key-value database
URL  : http://redis.io
License  : BSD and MIT
Description  : Redis is an advanced key-value store. It is often 
referred to as a data
 : structure server since keys can contain strings, hashes, 
lists, sets and

 : sorted sets.
 :
 : You can run atomic operations on these types, like 
appending to a string;
 : incrementing the value in a hash; pushing to a list; 
computing set
 : intersection, union and difference; or getting the 
member with highest

 : ranking in a sorted set.
 :
 : In order to achieve its outstanding performance, Redis 
works with an
 : in-memory dataset. Depending on your use case, you can 
persist it either
 : by dumping the dataset to disk every once in a while, or 
by appending

 : each command to a log.
 :
 : Redis also supports trivial-to-setup master-slave 
replication, with very
 : fast non-blocking first synchronization, 
auto-reconnection on net split

 : and so forth.
 :
 : Other features include Transactions, Pub/Sub, Lua 
scripting, Keys with a
 : limited time-to-live, and configuration settings to make 
Redis behave like

 : a cache.
 :
 : You can use Redis from most programming languages also.


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] qeum on centos 8 with nvme disk

[Alexander Dalloz]

Am 13.10.2019 um 00:03 schrieb Jerry Geis:

Hi Alan,

Yes I have partitioned similar - with a swap. but as I mentioned slow!


How do you measure the slowness? Use fio or bonnie++ to share some number.

[ .. ]


Jerry


Alexander


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 8 network-scripts

[Alexander Dalloz]

Am 03.10.2019 um 21:14 schrieb Jerry Geis:

Contents of ifcfg-eth0
# Generated by parse-kickstart
TYPE="Ethernet"
DEVICE="eth0"
UUID="6ada23ed-d1ad-4f37-935c-86163fe61e7b"
ONBOOT="yes"
BOOTPROTO="dhcp"
IPV6INIT="yes"


Why is it not starting at boot ?
Thanks,

Jerry


Set

NM_CONTROLLED=no

Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] 7.7.1908, interface bonding, and default route

[Alexander Dalloz]

Am 2019-09-20 15:31, schrieb Carlos A. Carnero Delgado:
El vie., 20 de sep. de 2019 a la(s) 06:16, Giles Coochey 
(gi...@coochey.net)

escribió:


I have a similar set up to you, and just did the upgrade to 1908, I
didn't experience the problem you had, I can't see anything out of the
ordinary in your network files.



I have reviewed the configuration several times now, and still can't 
see if
there's anything wrong with it. What I found is that, after the system 
has

booted up, if I systemctl restart network the default route does gets
applied.

Thanks a lot for your input!


If you don't want to use NetworkManager, then define NM_CONTROLLED="no"

In case you are using NetworkManager, then follow the RHEL guide to 
setup your bond using nmcli: 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/networking_guide/sec-network_bonding_using_the_networkmanager_command_line_tool_nmcli


Alexander
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] deprecations leading up to C8

[Alexander Dalloz]

Am 2019-09-20 12:06, schrieb Randal, Phil:
When I migrated our mx boxes from CentOS 5 to 7 I made the leap to 
postfix.


I built a test server with postfix etc on it and threw everything I
could think of at it before going live.

The key is, like in learning a new language, to start thinking in
postfix terms instead of thinking in sendmail terms.


Exactly, I was about to answer the same.

Postfix has a lot of features build-in Sendmail hasn't. It is feature 
rich and actively developed. Many things you would need a milter or 
complex cf style coding for with Sendmail you can configure in Postfix 
in a simple way.



It takes a while to 'get it' but I'm glad we made the link.

We search, read as many people's howtos as you can (caveat - they are
rarely 100% accurate), and test, test, test before going into
production.


Please, forget about so call howtos or tutorials on the net. They are 
either dated, giving wrong ideas (no, you don't need a MySQL server to 
run Postfix), failing to explain why the author has done things the way 
he writes them up, or they are simply wrong / violating best practice.


Postfix has a very good documentation (compared to the one shipping with 
Sendmail).


http://www.postfix.org/documentation.html

http://www.postfix.org/postconf.5.html


Cheers,

Phil


Alexander
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] I broke "yum update" - C7

[Alexander Dalloz]

Am 2019-08-30 17:04, schrieb Gordon Messmer:

On 8/30/19 5:52 AM, Gary Stainburn wrote:
Incidentally, the*good*  server that I was referencing my broken 
server against has decided to start giving the curl certificate errors 
in the same way that the broken one did. Very strange.  I ran



It's possible that the error is unrelated to the ca-certificates
file.  You'll only see it if yum selects a mirror that uses a Let's
Encrypt or Amazon-signed certificate (at least, those were the CAs for
the hosts I saw you report errors for).  If yum happens to select
mirrors that don't, then everything will work normally.  Reinstalling
the package on the original system may have been coincidental.


Testing yum's activity in debug mode had shown:

https://lists.centos.org/pipermail/centos/2019-August/173297.html

2019-08-29 17:23:17,345 opening local file 
"/var/cache/yum/x86_64/7/epel/metalink.xml.tmp" with mode wb

* About to connect() to mirrors.fedoraproject.org port 443 (#29)
*   Trying 8.43.85.67...
* Connected to mirrors.fedoraproject.org (8.43.85.67) port 443 (#29)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
* 	subject: CN=*.fedoraproject.org,O=Red Hat Inc.,L=Raleigh,ST=North 
Carolina,C=US

*   start date: Feb 01 00:00:00 2017 GMT
*   expire date: May 01 12:00:00 2020 GMT
*   common name: *.fedoraproject.org
* 	issuer: CN=DigiCert SHA2 High Assurance Server 
CA,OU=www.digicert.com,O=DigiCert Inc,C=US

* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 29
2019-08-29 17:23:18,117 exception: [Errno 14] curl#60 - "Peer's 
Certificate issuer is not recognized."
2019-08-29 17:23:18,117 retrycode (14) not in list [-1, 2, 4, 5, 6, 7], 
re-raising


Based on that it appears to me very clear that the trust with the 
DigiCert chain wasn't given due to a missing trust from the ca-cert 
bundle. Unfortunately we haven't seen a status of the ca-certificates 
RPM content before fixing it with a reinstall.


Alexander


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] I broke "yum update" - C7

[Alexander Dalloz]

Am 2019-08-30 17:17, schrieb Gordon Messmer:

On 8/29/19 8:20 AM, Alexander Dalloz wrote:

yum uses libcurl behind the scenes and thus NSS and not OpenSSL.



Good to know.

In that case: Gary, what do you see when you run:

    /usr/lib64/nss/unsupported-tools/vfyserv -p 443 
us-east.repo.webtatic.com



Do you get something indicative when running:
URLGRABBER_DEBUG=1 yum --disablerepo=\* --enablerepo=webtatic 
check-update



webtatic is the mirror, not a repo.  That won't do anything useful, 
will it?


In posting 
https://lists.centos.org/pipermail/centos/2019-August/173288.html you 
could see that he has a repo "webtatic" configured, at that time calling 
a different mirror.


Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] I broke "yum update" - C7

[Alexander Dalloz]

Am 2019-08-30 10:52, schrieb Gary Stainburn:

On Thursday 29 August 2019 18:10:19 Alexander Dalloz wrote:

> 2019-08-29 17:23:18,117 exception: [Errno 14] curl#60 - "Peer's
> Certificate issuer is not recognized."
> 2019-08-29 17:23:18,117 retrycode (14) not in list [-1, 2, 4, 5, 6,
> 7], re-raising

[ ... ]

> Cannot retrieve metalink for repository: epel/x86_64. Please verify
> its path and try again

So can we check what version of the ca-certificates packages is being
installed on your system?

And a check into a different direction: what's the date and time of 
that
system? Does it fit or is it wrong? Time being not accurate can make 
SSL

connections fail.


Firstly, thank you for you help with this Alexander.


You are welcome Gary. And I am curious about what the cause of your repo 
troubles is.



I had already checked the system time. It was about 3 minutes out, but
I fixed it anyway.  I have checked the RPM for the certificates, and
it matches the one on another box that works.


[root@stan2 ~]# date
Fri 30 Aug 09:45:27 BST 2019
[root@stan2 ~]# rpm -qa|grep cert
ca-certificates-2018.2.22-70.0.el7_5.noarch
[root@stan2 ~]#


That's good. Now please verify that the ca-certificates RPM is healthy:

rpm -V ca-certificates

In addition you can grep for the DigiCert certificates which are used by 
the fedoraproject.org mirror servers for EPEL (concentrating on a single 
broken HTTPS repo for now):


# grep "DigiCert" /etc/pki/tls/certs/ca-bundle.crt
# DigiCert Assured ID Root CA
# DigiCert Assured ID Root G2
# DigiCert Assured ID Root G3
# DigiCert Global Root CA
# DigiCert Global Root G2
# DigiCert Global Root G3
# DigiCert High Assurance EV Root CA  <<- that one must be there
# DigiCert Trusted Root G4

Besides a corrupted certificates bundle I cannot imagine a different 
root cause actually.


Of course you could search system-wide for broken RPM content:

# for RPM in $(rpm -qa); do rpm -V ${RPM} >/dev/null; if [ "$?" -eq 1 ]; 
then echo "- ${RPM} -"; rpm -V ${RPM}; fi; done


Regards,
Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] I broke "yum update" - C7

[Alexander Dalloz]

Am 2019-08-29 18:26, schrieb Gary Stainburn:

On Thursday 29 August 2019 16:47:11 Alexander Dalloz wrote:

rpm -Vv nss


[root@stan2 ~]# rpm -Vv nss
./etc/pki/nss-legacy
.  c /etc/pki/nss-legacy/nss-rhel7.config
./etc/pki/nssdb
.  c /etc/pki/nssdb/cert8.db
.  c /etc/pki/nssdb/cert9.db
.  c /etc/pki/nssdb/key3.db
.  c /etc/pki/nssdb/key4.db
.  c /etc/pki/nssdb/pkcs11.txt
.  c /etc/pki/nssdb/secmod.db
./usr/lib64/libnss3.so
.  g /usr/lib64/libnssckbi.so
./usr/lib64/libsmime3.so
./usr/lib64/libssl3.so
./usr/lib64/nss/libnssckbi.so
.  d /usr/share/man/man5/cert8.db.5.gz
.  d /usr/share/man/man5/cert9.db.5.gz
.  d /usr/share/man/man5/key3.db.5.gz
.  d /usr/share/man/man5/key4.db.5.gz
.  d /usr/share/man/man5/pkcs11.txt.5.gz
.  d /usr/share/man/man5/secmod.db.5.gz


Ok, that package content looks healthy. No problem there.

[root@stan2 ~]# URLGRABBER_DEBUG=1 yum --disablerepo=\* 
--enablerepo=epel update

[snip]
Loading mirror speeds from cached hostfile
2019-08-29 17:23:17,344 combined options: {
  'text' : 'epel/x86_64/metalink',


[ ... ]


2019-08-29 17:23:17,344 attempt 1/10:
https://mirrors.fedoraproject.org/metalink?repo=epel-7=x86_64
2019-08-29 17:23:17,345 opening local file
"/var/cache/yum/x86_64/7/epel/metalink.xml.tmp" with mode wb
* About to connect() to mirrors.fedoraproject.org port 443 (#29)
*   Trying 8.43.85.67...
* Connected to mirrors.fedoraproject.org (8.43.85.67) port 443 (#29)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
*   subject: CN=*.fedoraproject.org,O=Red Hat Inc.,L=Raleigh,ST=North
Carolina,C=US
*   start date: Feb 01 00:00:00 2017 GMT
*   expire date: May 01 12:00:00 2020 GMT
*   common name: *.fedoraproject.org
*   issuer: CN=DigiCert SHA2 High Assurance Server
CA,OU=www.digicert.com,O=DigiCert Inc,C=US
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.


So here we are.

While the current ca-certificates package of CentOS 7 
ca-certificates-2018.2.22-70.0.el7_5.noarch does not hold the 
intermediate certificate "DigiCert SHA2 High Assurance Server" I don't 
get that issue.


# grep "DigiCert" /etc/pki/tls/certs/ca-bundle.crt
# DigiCert Assured ID Root CA
# DigiCert Assured ID Root G2
# DigiCert Assured ID Root G3
# DigiCert Global Root CA
# DigiCert Global Root G2
# DigiCert Global Root G3
# DigiCert High Assurance EV Root CA
# DigiCert Trusted Root G4


* Closing connection 29
2019-08-29 17:23:18,117 exception: [Errno 14] curl#60 - "Peer's
Certificate issuer is not recognized."
2019-08-29 17:23:18,117 retrycode (14) not in list [-1, 2, 4, 5, 6,
7], re-raising


[ ... ]


Cannot retrieve metalink for repository: epel/x86_64. Please verify
its path and try again


So can we check what version of the ca-certificates packages is being 
installed on your system?


And a check into a different direction: what's the date and time of that 
system? Does it fit or is it wrong? Time being not accurate can make SSL 
connections fail.


Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] I broke "yum update" - C7

[Alexander Dalloz]

Am 2019-08-29 17:36, schrieb Gary Stainburn:

On Thursday 29 August 2019 16:20:00 Alexander Dalloz wrote:

Hi,

yum uses libcurl behind the scenes and thus NSS and not OpenSSL.

Do you get something indicative when running:

URLGRABBER_DEBUG=1 yum --disablerepo=\* --enablerepo=webtatic
check-update

Alexander


I get a lot of output for what looks like access to the local respos.d
files all ending with success. I have included below the first and
last of these immediately followed by the line saying that webtastic
is not found

[root@stan2 ~]# URLGRABBER_DEBUG=1 yum --disablerepo=\*
--enablerepo=webtatic check update


[ ... ]


Error getting repository data for webtatic, repository not found



Hm, I thought one of the repositories failing due to failing SSL is the 
webtatic one.


From your posting today 12:03 CEST:

 * webtatic: uk.repo.webtatic.com

Anyhow, a test agaist "epel" would work too as it is configured to use a 
https target as well.


URLGRABBER_DEBUG=1 yum --disablerepo=\* --enablerepo=epel update

Please check this too: rpm -Vv nss

Alexander
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] I broke "yum update" - C7

[Alexander Dalloz]

Am 2019-08-29 16:51, schrieb Gary Stainburn:

On Thursday 29 August 2019 15:45:44 Gordon Messmer wrote:

On 8/29/19 3:03 AM, Gary Stainburn wrote:
> https://us-east.repo.webtatic.com/yum/el7/x86_64/repodata/repomd.xml: [Errno 14] 
curl#60 - "Peer's Certificate issuer is not recognized."


What do you see when you run:

     openssl s_client -showcerts -connect 
us-east.repo.webtatic.com:443


That seems to work fine on the faulty server.

[root@stan2 ~]# openssl s_client -showcerts -connect
us-east.repo.webtatic.com:443
CONNECTED(0003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = webtatic.com
verify return:1


[ ... ]


Verify return code: 0 (ok)




Hi,

yum uses libcurl behind the scenes and thus NSS and not OpenSSL.

Do you get something indicative when running:

URLGRABBER_DEBUG=1 yum --disablerepo=\* --enablerepo=webtatic 
check-update


Alexander
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Availability of rsyslog-8.24.0-41.el7_7.x86_64

[Alexander Dalloz]

Am 2019-08-15 14:38, schrieb Dennis Well:

Hey there,
RedHat released the new version 8.24.0-41 of rsyslog on 2019-08-06. We
need some fixes of this version and would like to know about which time
this version will be available for CentOS.
http://mirror.centos.org/centos/7/os/x86_64/Packages/ still lists
rsyslog-8.24.0-34 ( 2018-11-12).
Currently I assume the maintainer might be on vacation?
CheersDennis



That's an update coming with 7.7. So you probably will have to be 
patient until the .7 minor update pops up in the CR repo.


Johnny may be more verbose about the rebuild plans and their status.

Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] how to use an Adaptec RAID 51645

[Alexander Dalloz]

Am 2019-08-05 12:30, schrieb Alexander Dalloz:

Am 2019-08-05 12:24, schrieb Ralf Prengel:

Hallo,
has anyone a hint how to use an Adaptec RAID 51645 under Centos 7?

A volume is created using the controller interface but isn't active
under centos.

Thanks for hintsts
Ralf


That's a pretty old RAID controller. Kernel module support for such
old cards have been dropped by RHEL. Check the ELrepo for a matching
package.

https://elrepo.org/tiki/kmod-aacraid

should be a fit.

Alexander


It would be helpful to check the PCI IDs of that card using "lspci -n" 
or "lspci -nn". I just saw the current EL7 kernel provides


# ls -Al 
/lib/modules/3.10.0-957.27.2.el7.x86_64/kernel/drivers/scsi/aacraid/

total 56
-rw-r--r--. 1 root root 56884 Jul 29 20:07 aacraid.ko.xz

and "modinfo aacraid" shows a long list of supported devices.

According to 
https://adaptec.com/de-de/speed/raid/aac/linux/aacraid_linux_rpms_v1_1_7-29100_tgz.php 
the module should be a fit for the Adapted RAID 51645.


Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] how to use an Adaptec RAID 51645

[Alexander Dalloz]

Am 2019-08-05 12:24, schrieb Ralf Prengel:

Hallo,
has anyone a hint how to use an Adaptec RAID 51645 under Centos 7?

A volume is created using the controller interface but isn't active
under centos.

Thanks for hintsts
Ralf


That's a pretty old RAID controller. Kernel module support for such old 
cards have been dropped by RHEL. Check the ELrepo for a matching 
package.


https://elrepo.org/tiki/kmod-aacraid

should be a fit.

Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Failed to start crond

[Alexander Dalloz]

Am 2019-07-25 11:12, schrieb Tarik Belaam:

Hi,

A couple of days ago, cron service stopped been running on my Centos 6.
When I try to start with "service crond start" I get this error :
"Starting /usr/sbin/crond: [-] Error 0x7a911401 in attaching to
process!"

Any ideas?

Thanks



You do not share much info about your system and what you already did so 
far to debug the situation.


Is only the function of crond affected?

What does running "rpm -Vv cronie" tell you?

Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Scope of classes in CFE 3.10.2 on CentOS 7

[Alexander Dalloz]

Am 10.07.2019 um 18:07 schrieb Meikel:


# cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)


Any good reason to not keep that system up to date? Minor release 7.4 is 
pretty old and has serious bugs. 7.6.1810 is current.


Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] raid 5 install

[Alexander Dalloz]

Am 27.06.2019 um 15:36 schrieb Nikos Gatsis - Qbit:

Hello list.

The next days we are going to install Centos 7 on a new server, with 
4*3Tb sata hdd as raid-5. We will use the graphical interface to install 
and set up raid.


You hopefully plan to use just 3 of the disks for the RAID 5 array and 
the 4th as a hotspare.


Do I have to consider anything before installation, because the disks 
are very large?


Does the graphical use the parted to set/format the raid?


It does. See the RHEL 7 installation documentation.


I hope the above make sense.

Thank you in advance.

Nikos


Alexander


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Postgrey not working

[Alexander Dalloz]

Am 20.06.2019 um 11:35 schrieb Nicolas Kovacs:

Le 20/06/2019 à 11:28, Alexander Dalloz a écrit :

What is being logged when a message passes your MTA inbound? The answer
to your issue is within the maillog.


According to maillog, the message is delivered instantly, exactly like
on a normal configuration without Postgrey.


Let me get my question more precise: do you see postgrey acting in your 
maillog? if not you have not configured postfix properly.


Alexander


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Postgrey not working

[Alexander Dalloz]

Am 20.06.2019 um 09:39 schrieb Nicolas Kovacs:

Le 19/06/2019 à 22:05, Phil Perry a écrit :

Try following the Postgrey guide on the Wiki:

https://wiki.centos.org/HowTos/postgrey#head-314ceecc5ece27e0f0a4bf1abcd8ee9356cd1a5e


Works for me (allowing for the switch to systemd)


I've followed this document, and still no joy.

Niki


What is being logged when a message passes your MTA inbound? The answer 
to your issue is within the maillog.


Alexander


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Postfix and choice of RBL

[Alexander Dalloz]

Am 17.06.2019 um 19:10 schrieb Alexander Dalloz:
Additionally, I've got Postgrey enabled, which does a really good job 
of weeding out the spambot desktops and such.


Instead of using reject_rbl_client the better choice is to use 
postscreen within Postfix. That enables the admin to set weighted 
scores, not rejecting based on a single RBL.


Alexander


Forgot to mention that when using postscreen you can drop Postgrey as 
postscreen does the same job.


Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Postfix and choice of RBL

[Alexander Dalloz]

Am 17.06.2019 um 18:09 schrieb Mike Burger:

On 2019-06-17 06:20, Nicolas Kovacs wrote:

Hi,

I'm managing several mail servers running CentOS 7, Postfix and Dovecot.
SpamAssassin is filtering mail nicely, but I'm considering using RBL
(blacklists) to take some load off the servers.

General question to those of you who use RBL. Which lists do you
recommend using?


In my "reject_rbl_client" lines, I've been using:

  - hil.habeas.com
  - sbl-xml.spamhaus.org
  - bl.spamcop.net

And in my reject_rhsbl_sender line, I have:

  - ds.rfc-ignorant.org

Additionally, I've got Postgrey enabled, which does a really good job of 
weeding out the spambot desktops and such.


Instead of using reject_rbl_client the better choice is to use 
postscreen within Postfix. That enables the admin to set weighted 
scores, not rejecting based on a single RBL.


Alexander



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Postfix and choice of RBL

[Alexander Dalloz]

Am 17.06.2019 um 16:50 schrieb Bowie Bailey:

On 6/17/2019 6:20 AM, Nicolas Kovacs wrote:

Hi,

I'm managing several mail servers running CentOS 7, Postfix and Dovecot.
SpamAssassin is filtering mail nicely, but I'm considering using RBL
(blacklists) to take some load off the servers.

General question to those of you who use RBL. Which lists do you
recommend using?


The best free blacklist that I'm aware of is zen.spamhaus.org.  I've been using 
it as
a blacklist on my server for years without any problems.

More info: https://www.spamhaus.org/zen/


Spmhaus isn't free per se.

https://www.spamhaus.org/organization/dnsblusage/

Alexander



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] postgis-2.0.7-2.el7 still in epel7-testing?

[Alexander Dalloz]

Am 11.04.2019 um 15:03 schrieb Danny Smit:

Hi all,

I'm looking for a fix in postgis, which seems to be fixed already in
postgis-2.0.7-2.el7.

However that package seems to be 'stuck' in the epel7-testing repository:
   https://koji.fedoraproject.org/koji/buildinfo?buildID=750618
   https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-b6c229157e

Is there a reason that the package is not pushed to stable yet? Or can
it be pushed to stable?


You will have to ask your questions the EPEL maintainer. EPEL is not 
controlled by the CentOS project.


Alexander


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Support for Argon2 for password hashing

[Alexander Dalloz]

Am 13.02.2019 um 14:18 schrieb Robert Moskowitz:

Is there any information on adding support for Argon2?


Did you check the RHEL 8 beta?

Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C7 and mdadm

[Alexander Dalloz]

Am 22.01.2019 um 23:26 schrieb mark:

md0 : active (auto-read-only) raid5 sdg1[8](S) sdh1[7] sdf1[4] sde1[3]
sdd1[2] sdc1[1]

[ ... ]

[__U]


I see a RAID 5 with 2 elements missing from the array. That would mean 
data is lost.


Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Spamassassin + Postfix : delete spam mail on the server ?

[Alexander Dalloz]

Am 19.12.2018 um 14:49 schrieb Nux!:

Absolutely, never reject spam at MTA level!

Usually I put it in a spam folder, then add a cronjob that deletes messages 
older than 6 months, ymmv.

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro


Sorry, I see it totally different. But do what you like to do as your 
own postmaster. There are good reasons to reject SPAM messages instead 
of initially accepting them.


Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Spamassassin + Postfix : delete spam mail on the server ?

[Alexander Dalloz]

Am 18.12.2018 um 08:08 schrieb Nicolas Kovacs:

The problem with this setup is that spam mail is still delivered, and I
need Thunderbird's filters to weed out incoming mail. And when I'm using
my webmail (running SquirrelMail), my inbox is a tsunami of unread
[SPAM] messages.

So I'd like to go a step further and delete all messages flagged [SPAM]
directly on the server. It doesn't look like Spamassassin provides this
functionality.


What's the point of delivering identified SPAM and then deleting it? 
Reject SPAM at SMTP level on your MTA. Easy to do with amavisd-new in a 
smtp proxy setup with Postfix.


Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] KVM Bridge Problem

[Alexander Dalloz]

Am 04.12.2018 um 21:30 schrieb Günther J. Niederwimmer:

Hello,
is this only my mistake,or can help any from the list?

I have 3 host computer on different places, but all have the Problem when
starting a client "KVM" to connect to the bridge from the host.

It is near not possible to start a client, only after 10-20 reboot/restart
from the client's the network is starting correct?


Logs are the only source of truth. Without them everything is pure 
speculation.



Is this  only on my computers or have other also this Problem?

Is the bridge software is broken ?


What does your system report in the relevant log files?


Can I use openvswitch to replace bridge Software?


Sure you can. It takes a bit more effort to setup openvswitch. It can be 
worth it depending on your network design.



Any help are welcome ;-)


First of all it would be necessary from your side to provide details 
about your setup. Running KVM with a bridge setup is not enough info.


Get your config sorted and the logs.

Alexander


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bastion server

[Alexander Dalloz]

Am 04.12.2018 um 09:21 schrieb Ilyass Kaouam:

. And of corse log activity users

For me,  In resume I want :
1. One acces point to all my servers
2. log activity user (login with active directory)

Regard's


Look at FreeIPA and KeyCloak. Maybe those tools do most of what you like 
to get. In addition configure the auditd service which comes by default 
with CentOS.


Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] [OT] Where to buy S/MIME ??

[Alexander Dalloz]

Am 25.11.2018 um 17:26 schrieb Alfred von Campe:



On Nov 25, 2018, at 8:35, Alice Wonder  wrote:

Where do regular users who just want an inexpensive certificate usable for 
S/MIME from a CSR generated the traditional way go to buy a cert?


Have you looked at https://letsencrypt.org? 

Alfred


Letsencrypt does not sign certificates for use with S/MIME.

Alexander


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] PostgreSQL port accessible even though it should be blocked by firewall

[Alexander Dalloz]

Am 29.10.2018 um 20:03 schrieb Frank Thommen:

PostgreSQL is running in a docker container:

$ docker ps
CONTAINER ID    IMAGE COMMAND   
CREATED STATUS  PORTS    NAMES
6f11fc41d2f0    postgres  "docker-entrypoint..."   4 
days ago  Up 4 days   0.0.0.0:5432->5432/tcp   postgres

$


The various docker interfaces and virtual bridges are not assigned to 
any specific zone.



Why is port 5432/tcp open?


You will see it if you check the netfilter rules with:

iptables -L -n -v --line -t filter
iptables -L -n -v --line -t nat


frank


Alexander
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Setting up sendmail to mail system messages on CentOS 6 and 7

[Alexander Dalloz]

Am 26.10.2018 um 14:44 schrieb Sorin Srbu:

Here is a typical guide I've used for CentOS  6, and that I've used for the
problem server above as well as for other CentOS 7-machines.



That "guide" is not really useful nor clever. In a scenario like yours, 
you would setup Sendmail as a nullclient. That's documented in 
cf/README. Or even drop Sendmail and choose a software like msmtp or 
ssmtp which is dedicated for such purpose. You don't need the MTA 
functionality of Sendmail.



Is setting up sendmail different on CentOS 7 in any way, as compared to
CentOS 6??


Not really.


Anything else I should double-check?


Your logs will tell you what is happening and where to look at closer. 
If you like to get specific help from this list I feel you should 
provide your sendmail.mc and log content demonstrating your issue(s).


Alexander
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] C6 Bind

[Alexander Dalloz]

Am 15.10.2018 um 00:33 schrieb Ken Smith:
If I telnet to port 53 from outside my LAN I get a connection. If I stop 
bind that connection is refused, confirming the local bind instance is 
getting the connection.


You cannot test bind operating on port 53 by UDP through telnet.

Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Certificates

[Alexander Dalloz]

Am 01.09.2018 um 20:27 schrieb Valeri Galtsev:
I just checked on my box and confirm that yes, with every renewal of 
certificate new key is created. I should realize that fact even before 
looking, as it is asymmetric encryption pair, thus the new pair cert+key 
is generated (and the cert [request] gets signed).


Valeri


You are commenting on a specific ACME helper tool to create LE 
certificates? On my side the key stays the same. And as long as it is 
not compromised there is no need to change it.


Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Mail has quit working

[Alexander Dalloz]

Am 26.08.2018 um 20:48 schrieb TE Dukes:

You see a basic error message "Could not connect to localhost:143". So
test that without using additional software. Foremost consult the
maillog, in this case the log content produced by dovecot. And test
connectivity on the lowest level.

echo QUIT | openssl s_client -connect localhost:143 -starttls imap

I'm getting what appears to be help file with various options when trying to
run the above commad


Can we guess that you don't offer TLS for IMAP connections?


That must be successful first. You can too test "lsof -i :143" or "ss
-tulpen | grep 143". And tail your maillog.


Running lsof -i :143, I get:

COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
dovecot 1576 root   37u  IPv4  32014  0t0  TCP *:imap (LISTEN)
dovecot 1576 root   38u  IPv6  32015  0t0  TCP *:imap (LISTEN)

Running ss -tulpen | grep 143 :

tcpLISTEN 0  100   *:143   *:*
users:(("dovecot",pid=1576,fd=37)) ino:32014 sk:913e953e2e80 <->
tcpLISTEN 0  100  :::143  :::*
users:(("dovecot",pid=1576,fd=38)) ino:32015 sk:913b2e90a100 v6only:1
<->


So port 143 is listening. Are we back to the point that your DNS or NSS 
is broken so that even


telnet localhost 143

fails while

telnet 127.0.0.1 143

is successful?


Thanks!!


Alexander


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Mail has quit working

[Alexander Dalloz]

Am 26.08.2018 um 18:12 schrieb TE Dukes:

Thanks. I did open the port but made no difference.

I found this in the roundcube mail error file:

[26-Aug-2018 11:48:41 -0400]:  IMAP Error: Login failed for tdukes
from 192.168.1.102. Could not connect to localhost:143:
php_network_getaddresses: getaddrinfo failed: System error in
/usr/share/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 197
(POST /?_task=login?_task=login&_action=login)

There is also a warning about the time zone. It's set as America/New_York in
php.ini


Sorry to say, but you have to learn to analyze problems systematically 
and by following simples approaches. At this point it is not useful to 
get Roundcube involved.


You see a basic error message "Could not connect to localhost:143". So 
test that without using additional software. Foremost consult the 
maillog, in this case the log content produced by dovecot. And test 
connectivity on the lowest level.


echo QUIT | openssl s_client -connect localhost:143 -starttls imap

That must be successful first. You can too test "lsof -i :143" or "ss 
-tulpen | grep 143". And tail your maillog.


Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Mail has quit working

[Alexander Dalloz]

Am 26.08.2018 um 15:25 schrieb TE Dukes:

Checked maillog:

Aug 26 09:12:31 ts130 postfix/qmgr[2194]: E5B948331053: 
from=, size=469, nrcpt=1 (queue active)
Aug 26 09:12:31 ts130 postfix/smtp[2307]: connect to 
127.0.0.1[127.0.0.1]:10024: Connection refused
Aug 26 09:12:32 ts130 postfix/smtp[2307]: E5B948331053: 
to=, orig_to=, relay=none, delay=77, 
delays=77/0.39/0/0, dsn=4.4.1, status=deferred (connect to 127.0.0.1[127.0.0.1]:10024: 
Connection refused)
Aug 26 09:12:34 ts130 postfix/pickup[2193]: 4670E8252A22: uid=0 
from=
Aug 26 09:12:34 ts130 postfix/cleanup[2197]: 4670E8252A22: 
message-id=<20180826131234.4670e8252...@ts130.palmettodomains.com>
Aug 26 09:12:34 ts130 postfix/qmgr[2194]: 4670E8252A22: 
from=, size=482, nrcpt=1 (queue active)
Aug 26 09:12:34 ts130 postfix/smtp[2307]: connect to 
127.0.0.1[127.0.0.1]:10024: Connection refused
Aug 26 09:12:34 ts130 postfix/smtp[2307]: 4670E8252A22: 
to=, orig_to=, relay=none, delay=0.58, 
delays=0.58/0/0/0, dsn=4.4.1, status=deferred (connect to 127.0.0.1[127.0.0.1]:10024: 
Connection refused)

Really appreciate everyone's help and patience!


That part of the log just indicates that your service which is called 
inb port 10024 isn't running. In your setup that is likely the 
amavisd-new filter service. Make sure it runs or take it out of your 
Postfix configuration.


Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Which is better? Microsoft Exchange 2016 or Linux-based SMTP Servers?

[Alexander Dalloz]

Am 28.07.2018 um 00:09 schrieb Gordon Messmer:
Personally, I use SOGo (which also supports EAS).  It didn't get many 
mentions in the this thread, which is unfortunate because it's *really* 
good.


Please pay attention that you will have to pay extra for ActiveSync to 
Microsoft as SOGo does not cover that. Expressively documented by the 
project.


Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Problem with definition of slist in CFEngine

[Alexander Dalloz]

Am 26.07.2018 um 17:11 schrieb Meikel:

# uname -a ; cat /etc/redhat-release
Linux policyhub.example.com 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 
21:09:27 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

CentOS Linux release 7.4.1708 (Core)


Any really good reason not to update since nearly 1 year?

Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Mail has quit working

[Alexander Dalloz]

Am 24.07.2018 um 21:07 schrieb TE Dukes:

Output from tail:

  


Jul 24 10:05:02 ts130 clamd[3226]: SelfCheck: Database status OK.
Jul 24 10:15:02 ts130 clamd[3226]: SelfCheck: Database status OK.
Jul 24 10:25:02 ts130 clamd[3226]: SelfCheck: Database status OK.
Jul 24 10:35:02 ts130 clamd[3226]: SelfCheck: Database status OK.
Jul 24 10:35:59 ts130 postfix/qmgr[8283]: C33128410546: from=<
  r...@ts130.palmettodomains.com>,
size=949, nrcpt=1 (queue active)
Jul 24 10:36:29 ts130 postfix/smtp[19763]: connect to
  paalmettodomains.com[198.105.254.65]:25:
Connection timed out
Jul 24 10:36:59 ts130 postfix/smtp[19763]: connect to
  paalmettodomains.com[104.239.198.84]:25:
Connection timed out


That looks totally broken: 
Where does that come from? An HTTP adddress has no valid function in 
SMTP communication.

Even the domain seems to be a typo.


Jul 24 10:36:59 ts130 postfix/smtp[19763]: C33128410546: to=<
  tdu...@paalmettodomains.com>,
relay=none, delay=13075, delays=13015/0.02/60/0, dsn=4.4.1, status=deferred
(connect to
paalmettodomains.com[104.239.198.84]:25: Connection timed out)
Jul 24 10:45:02 ts130 clamd[3226]: SelfCheck: Database status OK.
Jul 24 10:55:02 ts130 clamd[3226]: SelfCheck: Database status OK.
Jul 24 11:04:19 ts130 postfix/pickup[19912]: 55271840D734: uid=0 from=
Jul 24 11:04:19 ts130 postfix/cleanup[21840]: 55271840D734: message-id=<

20180724150419.55271840d...@ts130.palmettodomains.com>
Jul 24 11:04:19 ts130 postfix/qmgr[8283]: 55271840D734: from=<
  r...@ts130.palmettodomains.com>,
size=466, nrcpt=1 (queue active)


mailto:r...@ts130.palmettodomains.com  <- What is the purpose to send 
yourself a mail locally? Did you even specify a valid, fully qualified 
recipient address?



Jul 24 11:04:20 ts130 postfix/smtpd[21846]: connect from
localhost[127.0.0.1]
Jul 24 11:04:20 ts130 postfix/smtpd[21846]: 49161841ED92:
client=localhost[127.0.0.1]
Jul 24 11:04:20 ts130 postfix/cleanup[21840]: 49161841ED92: message-id=<

20180724150419.55271840d...@ts130.palmettodomains.com>
Jul 24 11:04:20 ts130 postfix/qmgr[8283]: 49161841ED92: from=<
  r...@ts130.palmettodomains.com>,
size=951, nrcpt=1 (queue active)
Jul 24 11:04:20 ts130 postfix/smtpd[21846]: disconnect from
localhost[127.0.0.1]
Jul 24 11:04:20 ts130 amavis[423]: (00423-03) Passed CLEAN {RelayedInbound},
[127.0.0.1] <
r...@ts130.palmettodomains.com> -> < 
tdu...@palmettodomains.com>, Message-ID: <

20180724150419.55271840d...@ts130.palmettodomains.com>, mail_id:
eYD2cL7fZ7rY, Hits: -0.001, size: 466, queued_as: 49161841ED92, 941 ms
Jul 24 11:04:20 ts130 postfix/smtp[21842]: 55271840D734: to=<
  tdu...@palmettodomains.com>,
relay=127.0.0.1[127.0.0.1]:10024, delay=1, delays=0.07/0.01/0/0.94,
dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250
2.0.0 Ok: queued as 49161841ED92)
Jul 24 11:04:20 ts130 postfix/qmgr[8283]: 55271840D734: removed
Jul 24 11:04:20 ts130 dovecot: lda(tdukes): msgid=<

20180724150419.55271840d...@ts130.palmettodomains.com>: saved mail to INBOX
Jul 24 11:04:20 ts130 postfix/local[21847]: 49161841ED92: to=<
  tdu...@palmettodomains.com>,
relay=local, delay=0.09, delays=0.02/0.01/0/0.06, dsn=2.0.0, status=sent
(delivered to command: /usr/libexec/dovecot/dovecot-lda -f "$SENDER" -a
"$RECIPIENT")
Jul 24 11:04:20 ts130 postfix/qmgr[8283]: 49161841ED92: removed


Mail got delivered locally after passing amavis at the mailbox 
tdu...@palmettodomains.com.


Alexander
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Is there any way I can deploy cPanel web hosting control panel with Microsoft Exchange 2016 groupware behind one static public IP?

[Alexander Dalloz]

Am 20.07.2018 um 19:18 schrieb Turritopsis Dohrnii Teo En Ming:

Dear Richard Grainger,


I am grateful for your reply and guidance.


After reading the following article at nginx.com, I realize that I should use a 
reverse proxy instead of a load balancer.


Article: WHAT IS A REVERSE PROXY VS. LOAD BALANCER?

Link:https://www.nginx.com/resources/glossary/reverse-proxy-vs-load-balancer/


Presently, I am using pfSense community edition firewall. Can I install the 
Squid package and use it as a reverse proxy? Where can I find good installation 
and configuration guides on this topic?


Based on what you have mentioned, it seems that reverse proxy can only be used 
for HTTP and HTTPS protocols.


Can I use reverse proxy for DNS, IMAP, IMAP/S, POP3, POP3/S, SMTP and SMTP/s as 
well?


So requests for domain1.com goes to all services/protocols in cPanel. And 
requests for domain2.com goes to all services/protocols in Exchange 2016.


Is that possible? Please advise.


Thank you very much.


Hello,

you are asking about solutions which have not much if even anything to 
do with CentOS and the purpose of this mailing list. While it is good 
that you want to learn you may better contact people near you to discuss 
things like pfSense and cPanel and Exchange or hire a consultant.


Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Clamd issues on Centos 6.10

[Alexander Dalloz]

Am 16.07.2018 um 19:42 schrieb Walter H.:

On 15.07.2018 00:13, Jay Hart wrote:

Clamd failed to start.

try removign it  (yum remove ...) reboot and then reinstall it again 
(yum install ...)?


Seriously, this is not Windows.

Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Clamd issues on Centos 6.10

[Alexander Dalloz]

Am 15.07.2018 um 22:41 schrieb Jay Hart:

I enabled libclamav logging in freshclam hoping it would shed some light on 
what may be going on:
ClamAV update process started at Sun Jul 15 16:27:39 2018
Using IPv6 aware code
Querying current.cvd.clamav.net
TTL: 611
Software version from DNS: 0.100.1
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.100.0 Recommended version: 0.100.1
DON'T PANIC! Readhttps://www.clamav.net/documents/upgrading-clamav
Retrievinghttp://db.local.clamav.net/main.cvd
Trying to downloadhttp://db.local.clamav.net/main.cvd  (IP: 104.16.189.138)
Downloading main.cvd [100%]
LibClamAV debug: Initialized 0.100.0 engine
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 57462fd73f1cfdb356b9dca66da2b732
LibClamAV debug: cli_versig: Decoded signature: 57462fd73f1cfdb356b9dca66da2b732
LibClamAV debug: cli_versig: Digital signature is correct.
LibClamAV debug: in cli_tgzload()
LibClamAV debug: in cli_tgzload_cleanup()
WARNING: [LibClamAV] cli_cvdload: Corrupted CVD header
LibClamAV debug: Cleaning up phishcheck
LibClamAV debug: Phishcheck cleaned up
ERROR: Verification: Malformed database
Querying main.0.91.0.0.6810BD8A.ping.clamav.net
Giving up on db.local.clamav.net...
Update failed. Your network may be down or none of the mirrors listed in 
/etc/freshclam.conf is
working. Checkhttps://www.clamav.net/documents/official-mirror-faq  for 
possible reasons.

Is this of any help?

Thanks in advance,

Jay


Jay,

it is your 32-bit CentOS 6. I am running 64-bit and don't have that 
issue. Please see


https://bugzilla.redhat.com/show_bug.cgi?id=1600458

Alexander


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Clamd issues on Centos 6.10

[Alexander Dalloz]

Am 15.07.2018 um 04:39 schrieb Jay Hart:

Libraries: do they look ok

[root@centos clamav]# ldd $(which freshclam)
linux-gate.so.1 =>  (0x00529000)
libclamav.so.7 => /usr/lib/libclamav.so.7 (0x00bc5000)
libxml2.so.2 => /usr/lib/libxml2.so.2 (0x00124000)
libbz2.so.1 => /lib/libbz2.so.1 (0x04906000)
libssl.so.10 => /usr/lib/libssl.so.10 (0x047fa000)
libcrypto.so.10 => /usr/lib/libcrypto.so.10 (0x03d52000)
libjson-c.so.2 => /lib/libjson-c.so.2 (0x03d42000)
libpcre.so.0 => /lib/libpcre.so.0 (0x00736000)
libm.so.6 => /lib/libm.so.6 (0x0027)
libclammspack.so.0 => /usr/lib/libclammspack.so.0 (0x0090)
libdl.so.2 => /lib/libdl.so.2 (0x007ad000)
libz.so.1 => /lib/libz.so.1 (0x00574000)
libresolv.so.2 => /lib/libresolv.so.2 (0x00422000)
libpthread.so.0 => /lib/libpthread.so.0 (0x005f6000)
libc.so.6 => /lib/libc.so.6 (0x00916000)
libgssapi_krb5.so.2 => /lib/libgssapi_krb5.so.2 (0x0466b000)
libkrb5.so.3 => /lib/libkrb5.so.3 (0x0454b000)
libcom_err.so.2 => /lib/libcom_err.so.2 (0x00ed2000)
libk5crypto.so.3 => /lib/libk5crypto.so.3 (0x044f5000)
/lib/ld-linux.so.2 (0x8001b000)
libkrb5support.so.0 => /lib/libkrb5support.so.0 (0x0033d000)
libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x00337000)
libselinux.so.1 => /lib/libselinux.so.1 (0x0058a000)


Jay,

please don't top-post and trim your quotes.

]# ldd $(which freshclam)
linux-vdso.so.1 =>  (0x7ffd7e4f4000)
libclamav.so.7 => /usr/lib64/libclamav.so.7 (0x7fa4d2595000)
libxml2.so.2 => /usr/lib64/libxml2.so.2 (0x7fa4d2242000)
libbz2.so.1 => /lib64/libbz2.so.1 (0x7fa4d203)
libssl.so.10 => /usr/lib64/libssl.so.10 (0x7fa4d1dc4000)
libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x7fa4d19df000)
libjson-c.so.2 => /lib64/libjson-c.so.2 (0x7fa4d17d4000)
libpcre.so.0 => /lib64/libpcre.so.0 (0x7fa4d15a7000)
libm.so.6 => /lib64/libm.so.6 (0x7fa4d1323000)
libclammspack.so.0 => /usr/lib64/libclammspack.so.0 
(0x7fa4d110e000)

libdl.so.2 => /lib64/libdl.so.2 (0x7fa4d0f0a000)
libz.so.1 => /lib64/libz.so.1 (0x7fa4d0cf4000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x7fa4d0ad9000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x7fa4d08bc000)
libc.so.6 => /lib64/libc.so.6 (0x7fa4d0528000)
libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 
(0x7fa4d02e3000)

libkrb5.so.3 => /lib64/libkrb5.so.3 (0x7fa4cfffc000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x7fa4cfdf8000)
libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x7fa4cfbcb000)
/lib64/ld-linux-x86-64.so.2 (0x5573de59f000)
libkrb5support.so.0 => /lib64/libkrb5support.so.0 
(0x7fa4cf9c)

libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x7fa4cf7bc000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x7fa4cf59d000)

Do other applications fail too? Do you have a network connectivity issue?

Alexander
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Clamd issues on Centos 6.10

[Alexander Dalloz]

Am 15.07.2018 um 00:13 schrieb Jay Hart:

ClamAV update process started at Sat Jul 14 15:10:48 2018
Using IPv6 aware code
Querying current.cvd.clamav.net
TTL: 1232
Software version from DNS: 0.100.1
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.100.0 Recommended version: 0.100.1
DON'T PANIC! Readhttps://www.clamav.net/documents/upgrading-clamav  Retrieving
http://db.local.clamav.net/main.cvd
Trying to downloadhttp://db.local.clamav.net/main.cvd  (IP: 104.16.189.138)
Downloading main.cvd
[100%]
WARNING: [LibClamAV] cli_cvdload: Corrupted CVD header
ERROR: Verification: Malformed database
Querying main.0.91.0.0.6810BD8A.ping.clamav.net
Giving up on db.local.clamav.net...
Update failed. Your network may be down or none of the mirrors listed in
/etc/freshclam.conf is
working. Checkhttps://www.clamav.net/documents/official-mirror-faq  for possible
reasons.
END Freshclam -v command-

My 0.100.0 version is currently supported, so I know that is not the issue. I 
tried deleting the
mirrors,dat file and re-running freshclam (did not reboot the box between file 
deletion and
command line execution), no effect...

Also, I have the default mirror location in freshclam.conf, which seems to be 
fine considering its
been like this for years. I tried to locate the 'country code' paramater but 
gave that up after I
got a headache looking over the documentation.  I don't think its relevant to 
this issue anyway.

I'm stuck on how to fix this. Nothing on the web shows what resolution is, nor 
how to fix it.

Seems like I can get and receive emails, but I have no idea if they are being 
properly scanned.

Thanks in advance,

Jay


The main.cvd you are downloading looks to be corrupted.

No such issue here. I have set in /etc/freshclam.conf

DatabaseMirror db.nl.clamav.net

# freshclam -v
Current working dir is /var/lib/clamav
Max retries == 3
ClamAV update process started at Sun Jul 15 01:39:31 2018
Using IPv6 aware code
Querying current.cvd.clamav.net
TTL: 143
Software version from DNS: 0.100.1
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.100.0 Recommended version: 0.100.1
DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
main.cvd version from DNS: 58
main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, 
builder: sigmgr)

daily.cvd version from DNS: 24753
Retrieving http://db.nl.clamav.net/daily-24751.cdiff
Trying to download http://db.nl.clamav.net/daily-24751.cdiff (IP: 
2400:cb00:2048:1::6810:b98a)

Downloading daily-24751.cdiff [100%]
cdiff_apply: Parsed 289 lines and executed 289 commands
Retrieving http://db.nl.clamav.net/daily-24752.cdiff
Trying to download http://db.nl.clamav.net/daily-24752.cdiff (IP: 
2400:cb00:2048:1::6810:b98a)

Downloading daily-24752.cdiff [100%]
cdiff_apply: Parsed 264 lines and executed 264 commands
Retrieving http://db.nl.clamav.net/daily-24753.cdiff
Trying to download http://db.nl.clamav.net/daily-24753.cdiff (IP: 
2400:cb00:2048:1::6810:b98a)

Downloading daily-24753.cdiff [100%]
cdiff_apply: Parsed 264 lines and executed 264 commands
Loading signatures from daily.cld
Properly loaded 2013647 signatures from new daily.cld
daily.cld updated (version: 24753, sigs: 2013647, f-level: 63, builder: neo)
Querying daily.24753.91.1.0.2400cb00204800016810b98a.ping.clamav.net
bytecode.cvd version from DNS: 324
bytecode.cld is up to date (version: 324, sigs: 89, f-level: 63, 
builder: neo)
Database updated (6579985 signatures) from db.nl.clamav.net (IP: 
2400:cb00:2048:1::6810:b98a)


Alexander
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] two 2-node clusters or one 4-node cluster?

[Alexander Dalloz]

Am 05.07.2018 um 17:27 schrieb Gianluca Cecchi:

Hello,
I'm planning migration of current two clusters based on CentOS 6.x with
Cman/Rgmanager going to CentOS 7.x and Corosync/Pacemaker.

As the clusters and their services are on the same subnet, and there no
particular security concerns differentiating them, I'm also evaluating the
option to transform the two clusters into a unique 4-node one during the
upgrade.

Currently I'm testing a virtual 4-node CentOS 7.4 cluster inside oVirt 4.2
and things seem to behave well.

Before going further in deep with tests and so on, I'd like to check with
the community about how many CentOS 7.x clusters composed by more than two
nodes are in place and what are the feedbacks on them in terms of
incremented latency/communication, ecc scaling out.

Also general feedback related to CentOS 6 and scalability of cluster nodes
number is welcome.

Thanks in advance,
Gianluca


From my point of view such classical cluster setups are so 2000s. 
Outdated by modern infrastructure concepts you see implemented in 
Kubernetes, OpenShift or cloud solutions in general. It's commonly 
summarized in the phrase "pets versus cattle". You don't want clusters 
to be treated as pets. Has always been difficult to maintain.


Obviously I don't know what you run on your old cluster and whether you 
can migrate to a modern setup instead of replicating it on a current 
major release. You didn't give us details.


Alexander


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 7 (using iptables) removed firewalld

[Alexander Dalloz]

Am 01.06.2018 um 18:41 schrieb Alexander Dalloz:

[ ... ]


Steve,

you are right on this list with questions concerning CentOS 7. It is 
just the (repeated) formatting of your postings which makes it hard to 
reply with helpful on-topic answers. Just see yourself what you have 
sent so far:


https://lists.centos.org/pipermail/centos/2018-June/169029.html


Sorry, the first link should have been your initial posting

https://lists.centos.org/pipermail/centos/2018-June/169023.html


https://lists.centos.org/pipermail/centos/2018-June/169027.html
https://lists.centos.org/pipermail/centos/2018-June/169029.html


[ ... ]


Regards
Alexander



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos 7 (using iptables) removed firewalld

[Alexander Dalloz]

Am 01.06.2018 um 17:24 schrieb Steve Frazier:

  I assumed this was a Centos 7 mailing list and I was looking for help with 
IPTABLEs.I have used mailing lists before.  Copying a file to an email address 
didn't have that type of output.  I apologize.
First of all is this a Centos 7 Mailing list that I can ask for help or have I 
made a huge mistake?  IF so, should I just attach the file to the email.


Steve,

you are right on this list with questions concerning CentOS 7. It is 
just the (repeated) formatting of your postings which makes it hard to 
reply with helpful on-topic answers. Just see yourself what you have 
sent so far:


https://lists.centos.org/pipermail/centos/2018-June/169029.html
https://lists.centos.org/pipermail/centos/2018-June/169027.html
https://lists.centos.org/pipermail/centos/2018-June/169029.html

Would you be willing yourself to decrypt such messages just to help 
someone else?


And please, as this is a mailing list and as you can see from the 
archive, it is not necessary to quote everything of a previous list 
post. It is a mailing list and doing fine to be threaded, providing a 
historty. Quoting everything is just bloating the content. And reverse 
order of content is contrary usual reading top to bottom.


Try to display your iptables rules for best readability on i.e. 
http://pastebin.centos.org/ with a live time setting of at least 1 week 
to be sure your content can be deciphered.


Regards
Alexander
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 7.5

[Alexander Dalloz]

Am 08.05.2018 um 13:46 schrieb Jerry Geis:

Hi All - Just checking on "expected" 7.5 release - I'm guessing its very
close.

On a side note... I played with CR enabled it and did the update, my
/etc/redhat-release still says the old 7.4... I was thinking it would say
something different for CR.

Anyway looking forward to 7.5!

Thanks,

Jerry



The centos-release RPM for 7.5 gets released when the 7.5 release is 
getting published. The CR repo does not have that status. So fully 
expected that /etc/redhat-release still says "CentOS Linux release 
7.4.1708 (Core)".


Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] cyrus: socket options

[Alexander Dalloz]

Am 16.03.2018 um 13:07 schrieb hw:

[...]
   # lmtp    cmd="lmtpd -a" listen="lmtp:127.0.0.1" prefork=4
   lmtpunix  cmd="lmtpd -a" listen="/var/lib/imap/socket/lmtp" 
prefork=4

[...]


Both definitions are wrong:

1) the lmtp line

man cyrus.conf

listen=
The UNIX or internet socket to listen on. This string field is required 
and takes one of the following forms:


path
[ host : ] port

So listen="lmtp:127.0.0.1" is utterly nonsense. It would be 
listen="127.0.0.1:lmtp" if you want to restrict access to localhost.


2) the lmtpunix line

man lmtpd

-a

Preauthorize connections initiated on an internet socket, instead 
of requiring LMTP AUTH. This should only be used for connections coming 
from trusted hosts.


So no pre-auth on the unix socket.

And why do you define a prefork of 4?

Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] cyrus: socket options

[Alexander Dalloz]

Am 16.03.2018 um 13:07 schrieb hw:


Hi,

what are the following messages supposed to tell me and does this 
indicate a problem?



# systemctl status cyrus-imapd
[...]
master[3766]: unable to setsocketopt(IP_TOS): Operation not supported
master[3766]: unable to setsocketopt(IP_TOS): Operation not supported
[...]


That's cyrus-imapd itself failing and has nothing to do with Exim.

Exim says it can not connect to the lmtp socket even when selinux 
doesn´t get in the way.  The configuration looks like this:



cyrus.conf (none of the two options work):

[...]
   # lmtp    cmd="lmtpd -a" listen="lmtp:127.0.0.1" prefork=4
   lmtpunix  cmd="lmtpd -a" listen="/var/lib/imap/socket/lmtp" 
prefork=4

[...]


Providing just a snipped from the complete configuration of cyrus-imapd 
is insufficient.



exim.conf:

[...]
begin transports



# cyrus_ltcp:
#   driver = smtp
#   protocol = lmtp
#   delivery_date_add
#   envelope_to_add
#   return_path_add
#   hosts = localhost
#   allow_localhost

lmtp_socket:
   driver = lmtp
   socket = /var/lib/imap/socket/lmtp
   delivery_date_add
   envelope_to_add
   return_path_add


# ls -la /var/lib/imap/socket/lmtp
srwxrwxrwx. 1 root root 0 Mar 16 12:58 /var/lib/imap/socket/lmtp


I have this working on the old server (which doesn´t run Centos) and am 
trying to migrate it to the new one (which runs Centos 7.4).  The 
version of cyrus and sasl are the same on both machines.


So cyrus-imapd and cyrus-sasl are not the ones shipped by CentOS?

What´s the problem with Centos that these things don´t just work as they 
usually do?


It works on CentOS, I can assure you that.

Alexander


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux: how to allow access?

[Alexander Dalloz]

Am 16.03.2018 um 13:09 schrieb hw:

On 03/16/2018 12:14 PM, Richard Grainger wrote:

Yet again I could not find any documentation explaining how to do basic
things like this :(  Selinux is more like a curse than anything else 
:( Why

is there not even a good documentation?


More trolling?


Show me a good documentation and/or name good reasons not to disable 
selinux.  Considering how much trouble it gives, there have to be *very* 
good reasons to keep it enabled.


Useful resources for SELinux:

http://wiki.centos.org/HowTos/SELinux

http://wiki.centos.org/TipsAndTricks/SelinuxBooleans

http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/

http://www.youtube.com/watch?v=bQqX3RWn0Yw

http://opensource.com/business/13/11/selinux-policy-guide

Alexander
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Unrar not extracting archive

[Alexander Dalloz]

Am 23.01.2018 um 20:23 schrieb H:

I received a rar-archive, probably created on Win10, that I could not extract 
with unrar on CentOS 6.


CentOS does not provide unrar. You must have it from a third party 
repository and we don't know which version of unrar that is.


Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Fwd: httpd24 Package Question

[Alexander Dalloz]

Am 20.12.2017 um 00:40 schrieb Tyler Waldo:

Alexander,


These are the only two CVEs from 2016 that I found contained in the RPM
that you referenced.


- add security fix for CVE-2016-5387

- mod_ssl: add security fix for CVE-2016-4979




Tyler Waldo
Information Security Associate
Threat and Vulnerability Management
Mobile: (650) 410-0776


Tyler,

according to https://www-us.apache.org/dist//httpd/CHANGES_2.4 many of 
the CVEs you mentioned were fixed in 2.4.24. So 2.4.25 and 2.4.27 used 
by the SCL RPMs should cover them.


Alexander
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Fwd: httpd24 Package Question

[Alexander Dalloz]

Am 19.12.2017 um 18:44 schrieb Tyler Waldo:

Hello everybody

I am looking to push out httpd24-httpd-2.4.25-9.el7 to my organization, but
I do not see it as being available on the mirror.centos.org site. I see a
git commit for this package in April and was wondering how long it takes an
rpm to become available once the commit has been completed.


http://mirror.centos.org/centos/7/sclo/x86_64/rh/httpd24/

https://www.softwarecollections.org/en/scls/rhscl/httpd24/


Also, I don't see the following CVEs addressed in any httpd24 changelogs
and wanted to know if they were ever planning on being addressed in an
httpd24 rpm?


- CVE-2016-0736
- CVE-2016-2161
- CVE-2016-8743
- CVE-2016-1546
- CVE-2016-8740


Latest version is 
http://mirror.centos.org/centos/7/sclo/x86_64/rh/httpd24/httpd24-httpd-2.4.27-8.el7.x86_64.rpm


I haven't checked whether it has fixes for the named CVEs.


Thanks,

Tyler


Alexander
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Maria 10 breaks unixodbc mysql connector

[Alexander Dalloz]

Am 30.10.2017 um 20:22 schrieb John Harragin:

I recently installed mariadb-server 10.1 by adding the following repository:

baseurl = http://yum.mariadb.org/10.1/centos7-amd64


[ ... ]


I could reinstall mariadb-server, add a symlink and it would probably work,
but I thought it would be better to post and hopefully the maintainer of
whichever package (unixodbc, maria, mysql-connector...) should be
addressed, could be alerted to this issue in the event that it could (or
should) be fixed on a package level.

John


CentOS cannot fix packages from yum.mariadb.org.

But the cloud SIG has build newer mariadb packges:

https://cbs.centos.org/koji/packageinfo?packageID=434

You can install them via yum too by the cloud repo.

http://mirror.centos.org/centos-7/7/cloud/x86_64/openstack-ocata/common/

Alexander


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] systemctl reboot -- server not accessible after reboot

[Alexander Dalloz]

Am 14.10.2017 um 19:54 schrieb Mike:

Hi,

Such a simple problem, but I can't figure out the cause.
Supermicro server with a Xeon E3-1200 cpu.
1U entry level item.

Using CentOS 7


The version is a bit unprecise. Are you fully updated?
On 7.3 and 7.4 I haven't seen that issue.


from ~$root --- systemctl reboot

Server disconnects my ssh connection and never comes back up.
Go to the server and the power is on but the server is not accessible by ssh.
When I connect a monitor and keyboard --- non-responsive.  It's like
it's in suspend mode.

I push and hold the power button until the server fully powers down.
Push power again and everything boots, goes to prompt, and all is well.

When I try systemctl reboot directly on the server.
Same problem --- does not start to login prompt.

Manually power down and power up again --- works and all is well.

Anyone have this problem before?
I've checked all the BIOS options and I can't find anything misconfigured.

Thanks for your help.

Mike


https://bugzilla.redhat.com/show_bug.cgi?id=1047614

Does that fit?

Alexander


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] how to prevent files and directories from being deleted?

[Alexander Dalloz]

Am 09.10.2017 um 17:54 schrieb Jonathan Billings:

I think that the important learning points today are:

1.) CentOS7 (and any other distro that uses systemd) will have /run as
a tmpfs filesystem, and /var/run points to /run on CentOS7, so even if
you think this disagrees with the FHS, that's the way it is for
CentOS.


And fun fact: not only RHEL 7 and thus CentOS 7 does so, but too Debian 
9 and Ubuntu 16.04 LTS (I have no newer test install of that distro).


And frankly speaking, I don't see any indication that this violates with 
the FHS and that /var/run must persist reboots.


Can we please end this stupid discussion? Enough arguments have been 
exchanged to make clear that packages are broken if they ignore the fact 
that /var/run content is ephemeral.


Alexander
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] how to prevent files and directories from being deleted?

[Alexander Dalloz]

Am 01.10.2017 um 17:21 schrieb hw:

Hi,

how can I prevent files/directories like /var/run/mariadb from being
deleted on reboot?  Lighttpd has the same problem.

This breaks services and makes servers non-restartable by anyone else
but the administrator who needs to re-create the needed files and
directories every time and has to figure out what selinux labels they
need.  This causes unnecessary downtimes.

This is entirely inacceptable.  This totally sucks.


See

https://developers.redhat.com/blog/2016/09/20/managing-temporary-files-with-systemd-tmpfiles-on-rhel7/

how to manage tmpfiles.

Curious, how did you install MariaDB that you have such a problem? The 
package shipping with CentOS does not create such issue.


Alexander


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] login case sensitivity

[Alexander Dalloz]

Am 07.09.2017 um 20:07 schrieb hw:

Gordon Messmer wrote:

On 09/07/2017 08:11 AM, Stephen John Smoogen wrote:

This was always
problematic because DNS hostnames and email addresses in the RFC
standards were case insensitive



Not quite.  SMTP is required to treat the "local-part" of the RCPT 
argument as case-sensitive, and to preserve case when relaying mail.  
The destination is allowed to treat addresses according to local 
policy, but in general SMTP is case sensitive with regard to the user 
identifier.


Last time I checked, RFCs said that local parts *should not* be case 
sensitive,
and cyrus defaulted to treat them case sensitive, which is a default 
that usually
needs to be changed because senders of messages tend to not pay any 
attention to
the case sensitiveness of recipient addresses at all, which then 
confuses them like

any other error.


The relevant part from the RFC:

https://www.ietf.org/rfc/rfc5321.txt

2.4.  General Syntax Principles and Transaction Model

   Verbs and argument values (e.g., "TO:" or "to:" in the RCPT command
   and extension name keywords) are not case sensitive, with the sole
   exception in this specification of a mailbox local-part (SMTP
   Extensions may explicitly specify case-sensitive elements).  That is,
   a command verb, an argument value other than a mailbox local-part,
   and free form text MAY be encoded in upper case, lower case, or any
   mixture of upper and lower case with no impact on its meaning.  The
   local-part of a mailbox MUST BE treated as case sensitive.
   Therefore, SMTP implementations MUST take care to preserve the case
   of mailbox local-parts.  In particular, for some hosts, the user
   "smith" is different from the user "Smith".  However, exploiting the
   case sensitivity of mailbox local-parts impedes interoperability and
   is discouraged.  Mailbox domains follow normal DNS rules and are
   hence not case sensitive.

Alexander
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Kernel 4.12 and nVidia Driver

[Alexander Dalloz]

Am 05.09.2017 um 06:16 schrieb Eugene Poole:
I tried to move to the latest stable kernel (4.12) so I could take 


"latest stable kernel (4.12) - that's not a CentOS project kernel. Can 
we guess that you are using the ELrepo kernel-ml?


advantage of my newest custom system (Intel Core I7 6-core; 64 GB RAM; 
MSI nVidia graphics card; 2 - 120 GB SSD; 2 - 4TB WD Black) on a UEFI 
Asrock mother board.


I've had the machine for 3-months but I couldn't get it to work until I 
found out that the Nouveau driver was causing me all the 'hardware' 
issues. I moved to the nVidia driver along with DKMS and all of my 
issues went away until I attempted to upgrade kernel 4.12 ...


It seems that DKMS doesn't automatically upgrade when the kernel is 
upgraded.  Will this issue go away if I change my graphics card to a AMD?


A bit dated, but it holds basic info about DKMS

https://wiki.centos.org/HowTos/BuildingKernelModules#head-d313bd351f90d4f25a2143b7bbcff73f927731f0

Instead of using DKMS, the kmod-nvidia driver from ELrepo does not fit 
for your graphics card? Or any of the other kmod-nvidia* kernel module 
packages from there?


https://elrepo.org/tiki/kmod-nvidia

Alexander



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] selinux denial of cgi script with httpd using ssl

[Alexander Dalloz]

Am 04.09.2017 um 23:49 schrieb Gregory P. Ennis:

Thanks for your help.

I did pick up an additional entry in the audit file :


type=AVC msg=audit(1504561395.709:10196): avc:  denied  { execute } for
pid=19163 comm="/usr/sbin/httpd" name="s.check.cgi" dev="dm-0"
ino=537182029 scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file

Unfortunately, I am not sure how the above tells me what is wrong.

Greg


From above log entry you see that the file object denied to execute 
('/var/www/cgi-bin/name.of.script.cgi) has the SELinux context type 
httpd_sys_content_t.


# semanage fcontext -l | grep '/var/www/cgi-bin'
/var/www/cgi-bin(/.*)? all files 
system_u:object_r:httpd_sys_script_exec_t:s0

[ ... ]

The permitted type is httpd_sys_script_exec_t.

`restorecon -Rv /var/www/cgi-bin/' can fix it. Or more targeted `chcon 
-t httpd_sys_script_exec_t /var/www/cgi-bin/name.of.script.cgi'.


Both audit2why and audit2allow suggest to activate a boolean which you 
may not want to set as it disables a more fine grained priviledge 
separation in the context of httpd actions.


Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Syncronize systemctl status with reality?

[Alexander Dalloz]

Am 29.08.2017 um 22:52 schrieb Leroy Tennison:

The AppPreloader is doing things (and probably confusing systemd in the 
process) but I didn't start that, it was a part of the reboot.  I looked at 
/etc/init.d/puppetmaster to see if something strange was being done and it was 
one of the simpler init scripts I've seen, uses start-stop-daemon.

I don't have any control over this, 'systemctl list-unit-files | grep puppet' shows the 
puppetmaster.service is enabled, I just need a "cleanup" solution, any ideas?  
And, BTW, thanks for any feedback.


Remove the Rack Puppet master server.

https://docs.puppet.com/puppet/5.1/passenger.html#install-the-puppet-master-rack-application

Alexander
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos and CVE-2017-1000117

[Alexander Dalloz]

Am 19.08.2017 um 14:45 schrieb Richard:

I've seen the announcement and update(s) for centos-6
(CESA-2017:2485), but I don't find anything for centos-7 yet. It
looks like RH announced them both at about the same time wednesday
and the update for centos-6 came out thursday. Is there some reason
that the update(s) for -7 haven't been pushed out?


Updates for CentOS 7 are hold back until the 7.4 update gets released. 
It will start by populating the CR repo.


Alexander

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Centos and CVE-2017-1000117

[Alexander Dalloz]

Am 16.08.2017 um 16:29 schrieb Herbert Chang:

hi centos community,

as many of you probably have been following along, a few days ago CVE
2017-1000117  was
identified and redhat was prompt to release patches to fedora 25/26.  I
haven't seen any chatter thus far from CentOS, so was wondering if anyone
knew the status of the patches landing in CentOS, and more specifically,
for CentOS 6 and git 1.7.x that's currently latest in the repos.

thanks!
Herbert


Red Hat has a CVE database. For the issue see

https://access.redhat.com/security/cve/cve-2017-1000117

Red Hat just today has released a new git package for RHEL 6 + 7, 
RHSA-2017:2485 and RHSA-2017:2484. The CentOS update packages will for 
sure pop up on the mirrors in near future.


Alexander


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos