Re: [CentOS] PHP 7.x on CentOS 7 : which solution ?
On 3/15/19 12:51 AM, Nicolas Kovacs wrote: Hi, As you all know, CentOS 7 is shipping PHP 5.4, which is OK in some situations. Unfortunately, some applications like OwnCloud require a more recent version of PHP. Up until recently, I've been using PHP 5.6 packages from the Webtatic repository. Despite the bad press this third party repo seems to have, it has been working perfectly for me for a few years. Here's the PHP 5.6 packages I have on an OwnCloud server: $ rpm -qa | grep php php56w-devel-5.6.40-1.w7.x86_64 php56w-pdo-5.6.40-1.w7.x86_64 php56w-gd-5.6.40-1.w7.x86_64 php56w-mysql-5.6.40-1.w7.x86_64 php56w-process-5.6.40-1.w7.x86_64 php56w-pear-1.10.4-1.w7.noarch php56w-common-5.6.40-1.w7.x86_64 php56w-xml-5.6.40-1.w7.x86_64 php56w-pecl-redis-3.1.6-1.w7.x86_64 php56w-cli-5.6.40-1.w7.x86_64 php56w-mcrypt-5.6.40-1.w7.x86_64 php56w-mbstring-5.6.40-1.w7.x86_64 php56w-pecl-igbinary-2.0.5-1.w7.x86_64 php56w-pecl-apcu-4.0.11-2.w7.x86_64 php56w-intl-5.6.40-1.w7.x86_64 php56w-5.6.40-1.w7.x86_64 php56w-soap-5.6.40-1.w7.x86_64 Now I'll have to upgrade these to some version of PHP 7. So I googled "php 7 centos 7" and found quite a wealth of - sometimes contradictory - information. 1. The "recommended" way of doing things seems to be the Red Hat Software Collections. Correct me if I'm wrong. I wonder if this way of doing things will enable me to get all the PHP modules listed above. 2. The use of Webtatic seems to be frowned upon. I still have to figure out why, since this repository has always worked perfectly for me. 3. Then there's another repository managed by Remi Collet. Any thoughts on that? And then there's also the question : which version of PHP 7 should I choose ? On my servers, I'm mainly hosting WordPress, Dolibarr and OwnCloud. Any suggestions ? I'm no lamer for doing a bit of RTFM, so a pointer to documentation will do. The problem is not so much that there is no information on the subject. It's rather : there's too much. As we say in France : I'm confused about which saint to send my prayers to. :o) Cheers, Niki I package PHP 7.3.x linked against LibreSSL rather than OpenSSL. I also package MariaDB 10.2.x and updated Apache. Right now there is a yum install issue - you have to manually remove the mariadb libs from 5.x to install. The dependencies are met, yum just can't figure it out. https://lirelamp.com/ Some of my documentation is a bit out of date, but no one is paying me, so... I do things differently than "software collections" - my philosophy is to just replace the system provided versions rather than put them in /opt. I have that philosophy because I prefer to set up a VPS for a purpose and if that purpose is a LAMP stack I don't see the point of keeping the crusty MariaDB / PHP in place so I just replace them with modern versions which largely are modified when needed Fedora spec files. With the exception that I build against LibreSSL instead of against OpenSSL. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] read permission on rotated logs
When logs (e.g. /var/log/maillog) are rotated (e.g. to /var/log/maillog-MDD) is there a way via systemd or whatever to assign read permission to a specific group? Right now, for example - ls -l maillog* -rw--- 1 root root 3105240 Mar 13 22:04 maillog -rw--- 1 root root 1079031 Feb 24 04:39 maillog-20190224 -rw--- 1 root root 7237640 Mar 1 12:59 maillog-20190228 -rw--- 1 root root 1297508 Mar 3 04:21 maillog-20190303 -rw--- 1 root root 1319371 Mar 10 08:17 maillog-20190310 What I would like - ls -l maillog* -rw--- 1 root root 3105240 Mar 13 22:04 maillog -rw-r- 1 root somegroup 1079031 Feb 24 04:39 maillog-20190224 -rw-r- 1 root somegroup 7237640 Mar 1 12:59 maillog-20190228 -rw-r- 1 root somegroup 1297508 Mar 3 04:21 maillog-20190303 -rw-r- 1 root somegroup 1319371 Mar 10 08:17 maillog-20190310 That way a user in somegroup could run a script that analyzes the rotated logs w/o needing root privileges. Obviously I could put a script in /etc/cron.hourly that looks for rotated log files and changes ownership / permission, but I am wondering if there is a "proper" way to configure it via systemd or another utility. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CPAN not working, or is it?
On 3/11/19 1:57 PM, Warren Young wrote: *snip* What is correct is that the CentOS-provided RPMs are often sufficiently outdated that they no longer work with the latest releases that cpanm wants to download by default. Often I end up downloading a src.rpm from Fedora for perl modules and building that. It means security patches are now my responsibility for it, and sometimes it has other perm module dependencies that I have to do the same thing with first, but it usually it works without too much fuss. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Mail Server Guides
On 3/4/19 5:40 AM, Robert Moskowitz wrote: On 3/1/19 12:53 PM, Ben Archuleta wrote: Hello All, I need to set up a new mail server to replace an aging CentOS 6.3 mail server. I was wondering what were some of the best guides on the web for Postfix (Maildir), Spamassassin, ClamAV, Dovecot? I am close to upgrading my mailserver. My current instructions are at: http://www.htt-consult.com/Centos7-mailserver.html I need to finish: SHA256 or SHA512 instead of MD5 for the password (Just need to finish up the roundcube password change script) dovecotadm backup for the mail and something to backup the mysql Otherwise my testing has been good. Of course adding stuff like DKIM, DANE, etc. would be nice. Note with DKIM - OpenDKIM defaults to 1024-bit RSA but that is no longer recommended and some services no longer consider it valid. 2048-bit RSA is the current recommended. The problem is that since DKIM keys do not expire, sysadmins got lazy and never bothered to periodically generate new ones, making 1024-bit RSA unsuitable. Ed25519 is also now available but support for it is not wide-spread yet. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Mail Server Guides
On 3/1/19 9:53 AM, Ben Archuleta wrote: Hello All, I need to set up a new mail server to replace an aging CentOS 6.3 mail server. I was wondering what were some of the best guides on the web for Postfix (Maildir), Spamassassin, ClamAV, Dovecot? Probably not what you are looking for and it still has bugs, but I just (within last five days) started this project for securing outbound SMTP from a Postfix server, taking DANE, MTA-STS, and STARTTLS Everywhere policies into consideration. One thing I will note, don't use the Postfix that ships with CentOS 7.x. It was fine when 7.0 shipped, but you really want to be using 3.2 or newer now. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Support for Argon2 for password hashing
The version of libsodium in EPEL supports argon2 For php you can build the libsodium extension. Also php 7.2+ builds that extension if you specify it build time using --with-sodium=shared switch. For dovecot you have to build it against sodium which means building your own packages but it works. At least with modern upstream dovecot. On 2/13/19 5:18 AM, Robert Moskowitz wrote: Is there any information on adding support for Argon2? I have been working on my new mailserver and this came up in moving from the default MD5 hash to more 'modern' hashes like SHA256 and SHA512. Then I was pointed to the work behind Argon2, and I see that it is moving through the IRTF cfrg workgroup: draft-irtf-cfrg-argon2-04.txt It is a 'purpose built' hash for passwords, with recommendations that new implementations use it. Of course can't use it if crypt does not support it thanks ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] DNSSEC Questions
On 2/12/19 11:49 PM, Paul R. Ganci wrote: On 2/12/19 10:55 PM, Alice Wonder wrote: DNSSEC keys do not expire. Signatures do expire. How long a signature is good for depends upon the software generating the signature, some lets you specify. ldns I believe defaults to 60 days but I am not sure. The keys are in DNSSKEY records that are signed by your Key Signing Key and must be resigning before the signature expires or they will no longer validate. Likewise, the other records in the zone must be resigned by your Zone Signing Key before their signatures expire. It's not the keys that are the issue, but the RRSIG record that contains a start and expiration time for the records. If you upload signed zone files to godaddy, make sure to resign once a week or so so that the RRSIG gets updated. man ldns-signzone Okay so I misunderstood the message I was getting when I checked my DNSSEC setup via http://dnsviz.net/. What you are telling me is that all I had to do was re-sign the zone files but that it was not necessary to generate new keys. This point is definitely one that I missed. I too run my own authoritative nameservers. I was following the Digital Ocean procedure to setup DNSSEC: https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2 That site suggested the use of dnssec-signzone after key creation ala a command like (the stuff that follows has been sanitized): > dnssec-signzone -3 `head -c 1000 /dev/random | sha1sum | cut -b 1-16` -N INCREMENT -o domain.tld -t domain.tld.zone After resigning with that command a file named dsset-domain.tld. is created which contains 2 digests. > cat dsset-domain.tld. domain.tld. IN DS 20716 7 1 04E3E6C87CD4190F74DD0371A14AD5CC42B71521 domain.tld. IN DS 20716 7 2 FA6D0EF0100855E5C85C6CD5A33590681DD9D7D9F6C773785C53E865 E02FF572 It is the keytag (20716) and the digests (hex fields) that are supposed to be uploaded to the registrar according to the section entitled "Configure DS records with the registrar" in the Digital Ocean reference I previously mentioned. In my original message it was the uploading of these keytags and digests to Godaddy that I was referring in my point 1 and which seems to be accomplished only manually via the Godaddy web interface. So doesn't ldns-signzone create the same kind of digest that requires it be uploaded to the registrar? Isn't that essential information in order to tell the .tld that the domain.tld DNSSEC is valid and to maintain the DNSSEC authentication chain trust up to the root servers? You can go to the http://dnsviz.net/ site and can use nurdog.com as an example of what i mean. The DS record does have to be uploaded to your registrar but it only changes when you change your Key Signing Key, as it is based on your Key Signing Key. I see you are using algorithm 7 - I would recommend switching to either algorithm 13 or at least to 8. Algorithm 7 uses a SHA1 hash. See https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update-04 That's a draft but soon will be an update to the standard. Algorithm 13 (ECDSAP256SHA256) results in much smaller keys and signatures and is equivalent to about RSA-3072 in strength, and it uses a SHA-256 hash. However note that changing algorithms will result in validation failure for few days unless done carefully. If I do not have to generate the keys every time the RRSIGs expire then the scripting or re-signing the zones is really trivial as I am in full control of my own DNS servers. It is even easier now if I don't have to generate new keys although that really isn't a difficult step. Yes that is what I do, daily via cron (or whenever I change a record) I resign it and upload. So maybe I asked the wrong question. Is there a way to re-sign the zone files without having to recreate the information found in that dsset-domain.tld. file and uploading it to the registrar? I suspect there is no way around that as I believe it is essential to maintaining the chain of trust. But if I can keep everything on my own nameservers that would be a big help ... maybe ldns-signzone is the answer? As long as you don't change your KSK that information will not change. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] DNSSEC Questions
On 2/12/19 7:26 PM, Paul R. Ganci wrote: Last weekend I had my DNSSEC keys expire. I discovered that they had expired the hard way... namely randomly websites could not be found and email did not get delivered. It seems that the keys were only valid for what I estimate was about 30 days. It is a real PITA to have update the keys, restart named and then update Godaddy with new digests. DNSSEC keys do not expire. Signatures do expire. How long a signature is good for depends upon the software generating the signature, some lets you specify. ldns I believe defaults to 60 days but I am not sure. The keys are in DNSSKEY records that are signed by your Key Signing Key and must be resigning before the signature expires or they will no longer validate. Likewise, the other records in the zone must be resigned by your Zone Signing Key before their signatures expire. The first part of the problem is fairly manageable in the sense I already have a script that partially can do the job of updating the DNS server. However from what I can tell the only way I can update the DNSSEC of my 8 domains is via the Godaddy control panel GUI. So a couple of questions. 1.) Is anyone aware of anyway to update Godaddy DNSSEC data via a Centos 7 bash shell? I will contact Godaddy but I suspect I am SOL but thought I would ask here thinking somebody else may have already run into this issue. That I don't know, I use ldns to sign my zone files and upload them to my own authoritative nameserver. 2.) Assuming the answer to DNSSEC is no, can I at least have the keys last longer than they do by default. I am presently creating the keys via: > dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE zone > dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE zone It's not the keys that are the issue, but the RRSIG record that contains a start and expiration time for the records. If you upload signed zone files to godaddy, make sure to resign once a week or so so that the RRSIG gets updated. man ldns-signzone It has switches for setting the start and expiration date of signatures. By default I believe it uses current timestamp for start and +60 days for end, though it may be +30 days. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Curl spec file
On 1/23/19 1:55 PM, Roee Agami wrote: Hi, I saw this spec file for curl-7.29: https://git.centos.org/blob/rpms!curl.git/c7/SPECS!curl.spec And was wondering if you have one for a later version. And if not, how hard is it to modify the existing one to support later versions. Thanks! Roee. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos http://awel.domblogger.net/7/libre/src/repoview/curl.html -- For signature trust anchor (paranoid only need worry 'bout this): https://ca.pipfrosch.com/pipfrosch-cacert-pem.crt Webmail clients, sorry, out of luck, you can't import it. Get an actual e-mail app. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] thunderbird & firefox
On 1/4/19 8:28 AM, mark wrote: I *really* dislike the new photon UI. I WANT the arrow buttons top and bottom of the scrollbars. Does anyone know how to bring them back, or is that "that's *sooo* last year, you can't ever have them again"? mark ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos Switch to Mate and they are there. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [Fwd: Centos 7.6 and Aeskulap]
On 12/28/18 6:38 AM, Gregory P. Ennis wrote: I tried to compile aeskulap on Centos 7.6 by using the commands ./configure followed by make which resulted in the following errors : Attempting to build this way is next to pointless and will likely show you errors completely unrelated to why the package won't properly build. make[4]: *** [dimoimg.o] Error 1 make[4]: Leaving directory `/root/rpmbuild/SOURCES/aeskulap-0.2.2- beta1/dcmtk/dcmimgle/libsrc' make[3]: *** [libsrc-all] Error 2 make[3]: Leaving directory `/root/rpmbuild/SOURCES/aeskulap-0.2.2-beta1/dcmtk/dcmimgle' make[2]: *** [dcmimgle-libsrc-all] Error 2 make[2]: Leaving directory `/root/rpmbuild/SOURCES/aeskulap-0.2.2-beta1/dcmtk' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/rpmbuild/SOURCES/aeskulap-0.2.2-beta1' make: *** [all] Error 2 ...and even if you were building it correctly you completely skipped the actual errors here. What you've shown can't be used in any significant way to help. I downloaded the source files from : http://li.nux.ro/download/nux/dextop/el7/SRPMS/aeskulap-0.2.2-0.17beta1.el7.nux.src.rpm As you've already stated and shown here this is a package from a 3rd-party repo, and as such is not supported by the CentOS project. If Nux can't help you then I suggest you look for the package elsewhere or try to (properly) build it yourself. Unfortunately neither of these options is supported here. I was going to give it a shot but there are three build dependencies not part of CentOS 7 / EPEL 7 dcmtk-devel gconfmm26-devel libglademm24-devel When that starts to happen, it often results in needing additional dependencies to build those, etc. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [Fwd: Centos 7.6 and Aeskulap]
On 12/27/18 7:53 PM, Gregory P. Ennis wrote: Everyone, Apparently, aeskulap is broken during the upgrade fro 7.5 to 7.6, and is no longer available in the epel repos. I had some difficulty having it function, and during the debug process I decided to do a yum remove, but when I tried a yum install to reinstall it, aeskulap was no longer present. This problem may also affect other modules. I have placed a bug report : https://bugzilla.redhat.com/show_bug.cgi?id=1659667 The depracation of tcp wrappers may be involved in this https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers tcp_wrappers is still part of CentOS 7 in 7.6. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] You removed Weboob package over political reasons? Whole Internet laughs at you
On 12/25/18 4:48 PM, Scott Robbins wrote: On Mon, Dec 24, 2018 at 01:26:15PM -0500, rj coleman wrote: On Dec 24, 2018, at 10:42 AM, Alice Wonder wrote: On 12/24/18 7:21 AM, vsnsdua...@memeware.net wrote: Debian is not ruled by the men who actually write the software, but instead women. *snip* Can we please ban the person who sent that disgusting rant to the list I was under the impression that it was sarcasm. Whenever something gets posted a or a code of conduct that comes down to don't be a jerk is adapted, there's lots of people who feel their right to be jerks has been infringed. I could easily be wrong but I thought that post was making a about why such codes of conduct become necessary. Could be, I'm autistic and often completely miss what other people claim was obvious sarcasm. But sometimes what I think they might claim was obvious sarcasm based upon past experience it wasn't. That's why /sarcasm or other indications really should be used, not all minds work the same and it isn't fair to assume they should. -- For signature trust anchor (paranoid only need worry 'bout this): https://ca.pipfrosch.com/pipfrosch-cacert-pem.crt Webmail clients, sorry, out of luck, you can't import it. Get an actual e-mail app. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] You removed Weboob package over political reasons? Whole Internet laughs at you
On 12/24/18 7:21 AM, vsnsdua...@memeware.net wrote: Debian is not ruled by the men who actually write the software, but instead women. *snip* Can we please ban the person who sent that disgusting rant to the list? ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] upgrading 7.5 ==> 7.6
On 12/21/18 12:44 PM, Fred Smith wrote: On Fri, Dec 21, 2018 at 06:27:45PM +, Liam O'Toole wrote: On 2018-12-19, Fred Smith wrote: [...] Result: Boots to GDM just fine, but Mate is a black screen. Switching to Gnome, works fine, but I can't stand Gnome. Not knowing what else to try I restored the dd backup. This is a known issue, and was mentioned on this list recently. The problem is that Mate in EPEL needs to be updated to work with CentOS 7.6. Perhaps keep an eye on changes to the EPEL repo before attempting the upgrade again. Thanks, Liam, for the info. Since it IS working on the netbook I'm hoping that means that whatever needed updating has been updated. So, I compared the versions on my desktop with those on the netbook, and find that mate_dictionary, mate-disk-usage-analyzer, mate-screenshot, mate-search-tool, mate-system-log, mate-system-monitor, mate-utilsk, mate-utils-common all had a minor version bump. Some from 1.16.1-1 to 1.16.1-2, one from 1.16.0-1 to 1.16.0-2. I know there are other packages that do not contain "mate" in their names, but I don't know which they are. So, do you (or anyone else) happen to know which Mate packages are/were in need of update? thanks again, in advance. Not sure, MATE is working just fine for me, versions range from 1.16.0 to 1.16.3 yum list |grep "mate" |grep -v "@epel" |grep -v "devel" mate-menus-preferences-category-menu.x86_64 classmate.noarch 1.3.1-2.el7 epel classmate-javadoc.noarch 1.3.1-2.el7 epel f22-backgrounds-mate.noarch 21.91.0-1.el7 epel mate-common.noarch 1.16.0-1.el7 epel mate-netspeed.x86_64 1.12.0-1.el7 epel mate-sensors-applet.x86_64 1.16.1-1.el7 epel mate-themes-extras.noarch3.14.7-1.el7 epel php-league-climate.noarch3.2.4-1.el7 epel workrave-mate.x86_64 1.10.16-1.el7 epel xmonad-mate.x86_64 0.11-12.el7 epel Some of those obviously are not mate packages, but those are the only mate packages I do NOT have installed and it is working, so if mate is not working I wonder if the issue is something other than the packages. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] daemon core dump
I have a daemon I can conistently cause a crash on. https://iangilham.com/2016/12/08/core-dump-from-centos-7.html Is that the best way (obviously with debug packages installed) to get the core dump or is there a better way? It is NOT a CentOS/EPEL maintained daemon. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Fedora Server - as an alternative ?
On 12/20/18 5:11 AM, lejeczek via CentOS wrote: hi guys I wonder if any Centosian here have done something different than only contemplated using Fedora Server, actually worked on it in test/production envs. If here are some folks who have done it I want to ask if you deem it to be a viable option to put it on at least portion of servers stack. Anybody? Many thanks, L. I run CentOS 7 but with an updated server stack, including rebuilds (sonetimes with tweaks) of Fedora packages. Gives me a stable base with modern server software. Does take some work to get some stuff built. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Can't configure GDM after update to CentOS 7.6
On 12/06/2018 08:10 AM, Nicolas Kovacs wrote: Le 06/12/2018 à 15:24, James Pearson a écrit : I suspect it might be something that has been left out in the rebase to GDM 3.28.1 - an earlier change log for GDM has: On a side note, I've now spent a day and a half trying to recover my wrecked desktop profiles, with only a partial success. As it looks now, I'll probably move all my desktop installations to openSUSE Leap 15 and KDE 5 in the near future. As far as I can tell, rebasing GNOME in the middle of a minor update was not a good idea. Cheers, Niki They did a similar thing with NetworkManager few releases ago that caused all my servers to start grabbing randomized IPv6 addresses instead of static they previously grabbed. I don't understand why Red Hat makes these kind of changes in point releases - yet they won't update OpenSSL or PHP or Postfix in a point release. It's like they use /dev/random to determibe where they require API stability between point releases. -- For signature trust anchor (paranoid only need worry 'bout this): https://ca.pipfrosch.com/pipfrosch-cacert-pem.crt Webmail clients, sorry, out of luck, you can't import it. Get an actual e-mail app. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [OT] EPEL update?
On 12/04/2018 09:08 AM, Tony Molloy wrote: The same dependency holds for several mate packages. So either hold back on the update until mate is updated or build it yourself are the choices.. Using EPEL-testing also solves the problem in many cases, might also be able to build a temporary compat library package for old version of libgtop until MATE packages are updated. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: good free email service ?
On 12/02/2018 06:41 AM, Chris wrote: On Sat, 10 Nov 2018 00:22:00 -0800 Alice Wonder wrote: I run my own, using postfix + dovecot + roundcube, but because I can't afford my own subnet - I end up constantly on spam blacklists when someone else on my subnet sends spam. which blacklists are this? spamhaus zen ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [OT] Where to buy S/MIME ??
On 11/28/2018 07:58 PM, Gordon Messmer wrote: On 11/27/18 3:47 PM, Alice Wonder wrote: I actually went for a more complex scenario, I've created my own CA complete with CRL. OK. That means fewer certificates for your peers to install over time, but is otherwise no better than self-signed. It's nice because with S/MIME you really want two certs - one for signing (where ecdsa can be used) and one for when you need to receive encrypted. IIRC, an S/MIME client should be able to install your public cert and encrypt messages sent to you with no user interaction. With Thunderbird, if I reply to a signed message, I can encrypt the reply. From a usability standpoint, I really want to have just one certificate. The easier it is to send me encrypted messages, the more likely it is that messages will be secure. A) For one certificate to do both it has to be an RSA cert but the primary use of S/MIME is signing where RSA is excessively bloated compared to ECDSA. B) Certs for encryption have to have a backup key somewhere so there isn't data loss if I lose the private key, and that key needs to be w/o a pass phrase in case something happens to me and someone else needs access to the encrypted messages. But having such a backup means it isn't safe to use for digital signing because the backup is a theft risk, so signing with that key to prove it is me isn't a great idea. Web browsers are applications that exist for the explicit purpose of downloading and executing untrusted code. It does not seem like that is a very wise environment to use for generating long term cryptography keys. It really doesn't. On the other hand, if you don't trust your browser's cryptography implementation, you definitely should not be using your browser for secure communication (https). https is handled by a TLS library outside the browser, which is vastly different than in browser generation of private keys. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [OT] Where to buy S/MIME ??
On 11/27/2018 03:33 PM, Gordon Messmer wrote: On 11/25/18 5:35 AM, Alice Wonder wrote: The "free for personal" S/MIME from Comodo didn't work. Browser said it did but there was nothing to export for me to then import. I suspect it is because I used private browser window, Probably, yes. I've used that service in the past without issue. I really don't like the idea of a private key stored in browser anyway. And it never asked for a password to encrypt the private key Setting a password will protect all of the certificates stored by Firefox. Select: Preferences -> Privacy and Security -> Security Devices (under Certificates) -> Software Security Device -> Change password Chrome may have a similar option, but I don't see it and I don't see documentation for it.\ nor let me specify key strength (only let me choose between medium and high - I assume high is 4096 but I don't know, it didn't say) There's very little harm in getting a certificate and examining it to find out. You can destroy it later with no ill effect. I actually went for a more complex scenario, I've created my own CA complete with CRL. It's nice because with S/MIME you really want two certs - one for signing (where ecdsa can be used) and one for when you need to receive encrypted. And I have multiple e-mail accounts I want to do thus with. Could have done self-signed too but this at least allows me to revoke if a device like laptop or phone w/ private key is stolen. Does mean those who want to confirm my messages have to import my root key but that's for them to decide. Web browsers are applications that exist for the explicit purpose of downloading and executing untrusted code. It does not seem like that is a very wise environment to use for generating long term cryptography keys. It really doesn't. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] [OT] Where to buy S/MIME ??
Hi, I'm getting increasingly paranoid. Something I said on a certain social media site several months ago was modified - then reported - then by account was banned until I agreed to delete it. Obviously since what I said was modified I didn't have any issue with deleting it but I want more than just DKIM sigs on my e-mail now. Anyway looking for S/MIME I can use to sign and/or encrypt but mostly sign. Not interested in GnuPG or self-signed S/MIME - I want something that can be trusted because someone else that is trusted actually vouched for me. The "free for personal" S/MIME from Comodo didn't work. Browser said it did but there was nothing to export for me to then import. I suspect it is because I used private browser window, I really don't like the idea of a private key stored in browser anyway. And it never asked for a password to encrypt the private key, nor let me specify key strength (only let me choose between medium and high - I assume high is 4096 but I don't know, it didn't say) Didn't like the "browser generated" process, even if it had worked and generated the final product I could export - I really didn't like the process and have serious questions about the wisdom of a private key without a pass phrase stored in an application that interacts with web sites. Anyway so used openssl to create private key (with aes-256 encryption and pass phrase) and then a CSR. But I can't find anyone who sells certs for S/MIME to send the CSR too. Globalsign but they wanted $89 - no one else. Found a few sites that offered to "send me a quote" that I think were intended for corporate accounts. Where do regular users who just want an inexpensive certificate usable for S/MIME from a CSR generated the traditional way go to buy a cert? -=- Off Topic 2 I'm going to strangle whoever it is at Google that thinks it is a good idea to put so many video results at the top of search results for this kind of thing. I'm really getting sick of how highly ranked videos now are in search engines. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NetworkManager and /etc/resolv.conf
On 11/17/2018 07:01 AM, Alice Wonder wrote: On 11/17/2018 06:43 AM, Alice Wonder wrote: CentOS 7.5 image running on linode. unbound running on localhost. Have to use a cron job once a minute to keep /etc/resolv.conf using the localhost for name resolution - whenever NetworkManager gets restarted (usually only a system boot) it gets over-written. It seems every distro has a different way of preventing NetworkManager from replacing that file. I found instructions for Fedora that said create /etc/NetworkManager/conf.d/no-dns.conf containing [main] dns=none That doesn't seem to have any effect. Poking around, I find a file on boot seems to be created called /var/run/NetworkManager/resolv.conf It has most of the contents of what ends up in /etc/resolv.conf - except w/o the last line, which just reads rotate in generated /etc/resolv.conf. It says it's generated by NetworkManager (both /etc/resolv.conf and the one in /var/run/NetworkManager) but neither are specific enough to indicate what is causing them to be created so I can turn it off. Anyone know how to tell NetworkManager to just not create that file? Using a cron job to overwrite it once a minute works but there must be a proper way. I really wish KISS was a design goal when designing system configuration. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos Just found this - # cat dhclient-exit-hooks echo 'options rotate' >> /etc/resolv.conf That's where the last line in /etc/resolv.conf is coming from. Okay replacing the contents of dhclient-exit-hooks with echo -e 'nameserver 127.0.0.1\nnameserver ::1' > /etc/resolv.conf seems to do what I need. I hope RHEL/CentOS 8 do networking better, as in, not have spaghetti scripts called here and there making something that should be a config option hard to do. With DNS the only way to trust results is if the zone is signed and local resolver validates. You can't ever trust external nameservers defined by dhcp to validate. So there's very valid reasons to want to use local unbound. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NetworkManager and /etc/resolv.conf
On 11/17/2018 06:43 AM, Alice Wonder wrote: CentOS 7.5 image running on linode. unbound running on localhost. Have to use a cron job once a minute to keep /etc/resolv.conf using the localhost for name resolution - whenever NetworkManager gets restarted (usually only a system boot) it gets over-written. It seems every distro has a different way of preventing NetworkManager from replacing that file. I found instructions for Fedora that said create /etc/NetworkManager/conf.d/no-dns.conf containing [main] dns=none That doesn't seem to have any effect. Poking around, I find a file on boot seems to be created called /var/run/NetworkManager/resolv.conf It has most of the contents of what ends up in /etc/resolv.conf - except w/o the last line, which just reads rotate in generated /etc/resolv.conf. It says it's generated by NetworkManager (both /etc/resolv.conf and the one in /var/run/NetworkManager) but neither are specific enough to indicate what is causing them to be created so I can turn it off. Anyone know how to tell NetworkManager to just not create that file? Using a cron job to overwrite it once a minute works but there must be a proper way. I really wish KISS was a design goal when designing system configuration. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos Just found this - # cat dhclient-exit-hooks echo 'options rotate' >> /etc/resolv.conf That's where the last line in /etc/resolv.conf is coming from. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] NetworkManager and /etc/resolv.conf
CentOS 7.5 image running on linode. unbound running on localhost. Have to use a cron job once a minute to keep /etc/resolv.conf using the localhost for name resolution - whenever NetworkManager gets restarted (usually only a system boot) it gets over-written. It seems every distro has a different way of preventing NetworkManager from replacing that file. I found instructions for Fedora that said create /etc/NetworkManager/conf.d/no-dns.conf containing [main] dns=none That doesn't seem to have any effect. Poking around, I find a file on boot seems to be created called /var/run/NetworkManager/resolv.conf It has most of the contents of what ends up in /etc/resolv.conf - except w/o the last line, which just reads rotate in generated /etc/resolv.conf. It says it's generated by NetworkManager (both /etc/resolv.conf and the one in /var/run/NetworkManager) but neither are specific enough to indicate what is causing them to be created so I can turn it off. Anyone know how to tell NetworkManager to just not create that file? Using a cron job to overwrite it once a minute works but there must be a proper way. I really wish KISS was a design goal when designing system configuration. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: good free email service ?
On 11/10/2018 03:45 PM, Mike Burger wrote: On 2018-11-10 03:22, Alice Wonder wrote: *snip* It's a real pain the arse. FWIW, I used to run my mail server at home, on my own private IP (through my ISP). When I moved, in May, I had to switch providers and they didn't offer static IP for home users, so I've moved my DNS and mail server to the cloud. Between the two of them, they cost me about $50/month...not cheap, but my IP isn't automatically on blacklists and I control everything, including inbound spam protection. I use Linode - sometimes it will go many months w/o being put on a blacklist, sometimes its a lot more common, I think they rotate IP assignment and when unused IP addresses on my subnet are not being assigned to new accounts there is no issue. I just wish the spam lists would do a better job at realizing a well-aged domain that's been on the same IP address for years isn't a spammer and shouldn't be part of the blacklist. In many respects I see it as a net neutrality issue, pushing everyone into the big providers that do their own share of spamming yet are never blacklisted because they are too big to blacklist. I'm thinking about trying to design a DKIM based white list, e.g. if DKIM validates from aged domain that doesn't have positive spaminess to it, skip the IP based spam checks. But even if I came up with something, the big e-mail companies wouldn't care to use it, they have no financial motive to and every financial motive not to (forces users into their tracking ecosystem) ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: good free email service ?
On 11/09/2018 12:07 PM, Warren Young wrote: On Nov 9, 2018, at 9:22 AM, Vic Chester wrote: https://protonmail.com/ Aside from semi-charitable organizations like that, I wouldn’t expect good free email service to exist. It’s seriously complicated to run a properly-configured email server. The last time I looked into it, there were something like 24 separate RFCs an SMTP-only server had to implement, and much of that complexity spills over into the administration side, such as DKIM setup. Then you have everything outside of the protocol such as spam filtering, blacklist/greylist/whitelist maintenance, TLS key updates, OS updates, etc. Expect to pay for what you use, either by throwing a whole lot of your own time at it or paying someone to spend that time on your behalf. Unless you’re doing this for educational or professional reasons, where the time spent is paid back handsomely, it’s probably a better trade to pay someone to handle it for you. ___ Plus there's constantly dealing with spam lists. I run my own, using postfix + dovecot + roundcube, but because I can't afford my own subnet - I end up constantly on spam blacklists when someone else on my subnet sends spam. The blacklists don't care that I've had these IP addresses for years, never spam, etc. - they just see someone on the subnet spam and they blacklist the entire subnet and you have to fill out their form to get removed, often to just be added again in a week. It's a real pain the arse. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Red Hat is Planning To Deprecate KDE on RHEL By 2024
On 11/03/2018 01:22 AM, Nicolas Kovacs wrote: Le 02/11/2018 à 21:19, mark a écrit : Odd, I've never had that problem. On the other hand, I *really* dislike gnome. I think their target is 16 yr olds. My reaction to GNOME 3 has been roughly the same as with systemd. At first, I hated it with a passion. Then I saw everyone else seemed to use it. So I started to read the docs and experiment a little bit. And now I'm using it on a daily basis, and to my bewilderment, I've grown to like it. What really did me in when I was trying to like it, the scroll bars were gone and I was told they could be put back in place with configuration. So I tried to find the configuration option and couldn't find it. Then I was told that I had to hand-code CSS to get them back. I installed MATE the very next day. I did briefly try it again a few month ago and I just can't figure it out. It's like it is trying to be a tablet OS or something, but I'm not using a touchscreen, I'm using a mouse and keyboard. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Mail has quit working
On 07/24/2018 05:36 AM, Mike McCarthy, W1NR wrote: Your IP address is flagged as spam in Real Time Block Lists. Are you using a dynamic IP address? You may have a mis-configured server that is allowing spammers to relay through your server. Another possibility is your system is compromised with a spambot. Mike Happens frequently to me and I'm no open relay. CentOS uses spamhaus and spamhaus blocks entire subnets if someone on the subnet spams. So unless you can afford your own subnet or pay to be on a whitelist, blacklists are a common thing for the little guy. So much for net neutrality. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Which is better? Microsoft Exchange 2016 or Linux-based SMTP Servers?
On 07/19/2018 07:14 AM, Johnny Hughes wrote: On 07/18/2018 04:05 PM, Valeri Galtsev wrote: On 07/18/18 14:36, Johnny Hughes wrote: On 07/18/2018 01:58 PM, Valeri Galtsev wrote: But are you guys really telling you think the calendaring / scheduling for individual users and the main corporate account, etc. .. are working well enough with any Linux solution. I must confess, my servers are FreeBSD, but I'm quite sure the same is doable easily on Linux. We use for calendars Owncloud (may migrate to nextcloud in some future to come). That authenticates against LDAP. And does that calendar solution allow for things like: 1) Allowing all users in the organization to see users calendars and see when they are free to schedule a meeting with them. Yes at least about a part of it: calendars can be shared with some people or with everybody (which we didn't do, so I may be not 100% presenting "experimental fact" here). Not certain about "free/not free" mapped on calendars though. 2) Allow for designated people to schedule meetings for others (ie, your secretary/office assistant can schedule meetings for people, etc.) Yes, you can share calendar with anybody, and can set any set of choices can read can write can "re-share" your calendar You can share stuff to external people, and set individual authentication for them independent of our system (in general, it is not just calendars, but we use it for mostly synchronizing between all of your devices, and also sharing: files, calendars, address book; it can also be bookmarks, and there are variety of plugins expanding what else can be accessed/synchronized via web/dav) 3) Allow a calendar to schedule shared items .. like meeting rooms, shared vehicles, etc. So that people can check those out for specifc time windows, etc. No, but for resource booking (if I read the question correctly) we use mrbs (https://mrbs.sourceforge.io/). I know, that is not "integrated" for you to have everything in one place. I never had time to look for extention/plugin to suck from mrbs booked slot into one's calendar. Those are just a couple of minor things a lot of solutions can't do And do they work with imap, etc. No, owncloud/nextcloud don't work with IMAP as far as I know. Mail server is separate issue. Zimbra in that respect IS "integrated collaborative environment". And so is Kolab. They both are lacking per-user spam preferences. One more thing that added some minus for each of them in my estimate what to choose is: behind each of them there is commercial company. And that in my long experience significantly increases the chance one day openly available incarnation of each may become no longer available for us, and I will have to find replacement in a rush and find the way to migrate to it, and the more sophisticated the thing is, the trickier the migration will be. My answers are mostly about owncloud which we use for quite some time. Nextcloud is fork of owncloud, and to my regret nextcloud doesn't work with postgresql, only with mysql/MariaDB, whereas owncloud works with postgresql as well as with mysql/MariaDB (still we have some reasons to migrate to nextcloud at some point). I hope, someone with more knowledge will chime in. Don't get me wrong. I've run qmail, postfix, and zimbra mail servers with IMAP, along with webmail front ends (roundcude, squirrel mail, etc), for windows, mac and linux clients for several companies (all on CentOS of course :D) .. I just don't think that calendaring that I have seen is as user friendly as google calendar (for example). But I'm all for people running mail servers on CentOS (or any other Linux) if they want ! I can't use google calendar because it used tracking cookies which I block. So it doesn't work for me. Would actually love to see a distributed / federated calendaring platform developed, that I suspect would do well. What I mean is Company A can choose to federate with Company B when needed to allow cross-scheduling when needed while both still maintain complete ownership of their calendar data. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Which is better? Microsoft Exchange 2016 or Linux-based SMTP Servers?
On 07/18/2018 10:24 AM, Andrew Holway wrote: Still a lot better than trying to run your own hodge-podge of nightmares on Linux. Beg pardon? Did I make a mistake on the email address? I thought this went to the CentOS general discussion list. I specifically meant setting up and running email services on linux is not for the feint of heart and delivers little real value considering the plethora of free and commercial email services available. I would disagree. Postfix and Dovecot are both very well documented. Running the server yourself protects your users from content scanning by the companies that profit from tracking users. And running itself lets you run DANE for SMTP which makes MITM a lot more difficult when the other server you are talking to supports DANE for SMTP. The major e-mail services do not offer that. Sure it is more work, but it isn't that difficult to get it right. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] how and where to get libuuid.a
On 07/17/2018 08:03 AM, qw wrote: Hi, I use Centos 7.4, and can find libuuid.so in my OS. how and where to get libuuid.a? Thanks! Not seeing it, but libuuid.so is provided by libuuid-devel from EPEL. Frequently, static libraries are not provided by CentOS / EPEL. Is there a reason you need the static instead of dynamic? If you, you probably have to rebuild the src.rpm after modifying the spec file to not delete the static library. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 7 and RAM
On 07/16/2018 04:41 PM, Jay Hart wrote: On 17 July 2018 at 09:24, Jay Hart wrote: Hello, What would the recommended minimum amount of RAM be, to run Centos 7. 16GB??? Jay, it helps us help you when you give more information. I have CentOS 7 running happily on 4GB. My presumption - based on experience, extrapolation, and google - is that it will also run with 64TB. Anything between those numbers should be good. Cheers L. L, The use of this machine would be as a home server running as a web and email server, two users, light use. My current server has 4GB, but I'm thinking of getting a new box and if I can afford it, figured I'd get 16GB vice 8. I also run it on a quadcore XEON with 16GB as a general dev machine including LAMP stack and it is very fast on that setup. Most of the time, only a few of the cores are used and when I have looked at memory usage it is never anywhere nearing using up the 16GB. For a new box I would recommend 16GB though just because the cost difference between 8 GB and 16 GB isn't that great unless you are on a really tight budget (as I usually am) and even then, if you can find a way to go 16 GB do it, because it helps future-proof the box so it is usable for many years into the future. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Centos 7 and RAM
On 07/16/2018 04:24 PM, Jay Hart wrote: Hello, What would the recommended minimum amount of RAM be, to run Centos 7. 16GB??? Thanks, Jay I run it on an Lenovo Thinkpad T410 with 4 GB of RAM using the MATE desktop. Not a speed demon, but it works well enough. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] ca-certificates-2018.2.22-65.1.el6.noarch problematic
On 07/04/2018 08:54 AM, Walter H. wrote: Hello, the RPM ca-certificates-2018.2.22-65.1.el6.noarch has a big problem ... many certificates were removed - my proxy uses this as source and isn't able to validate correct any more - most sites show this: /[No Error] (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) /Self-signed SSL Certificate in chain: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root Self-signed SSL Certificate in chain: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA and many other Root certificates are missing ... Not sure why they were removed but in the past, root certificates are removed due to problems with the certificate authorities that mean their signatures no longer mean the sites are who they say there. That's the problem with PKI. When you can't trust the root, you can't sign any certificate down the chain from the root. Unfortunately DANE is not yet supported by browsers. But anyway, does the changelog indicate why the certs were removed? It may be a good thing - protecting you from potential MITM when you otherwise would have the assumption that the site is valid because it has a cert. I know digicert specifically has had problems before resulting in fraudulent certificates being issued. Hopefully the industry can move to DANE and make blind trust a thing of the past. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firefox 60.0.1.0 ESR Progress?
On 07/02/2018 06:57 AM, Sean wrote: Is there a way to track CentOS's progress on RHSA-2018-2113? https://access.redhat.com/errata/RHSA-2018:2113 Thanks! ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos This is what I do and it works well, script run as root after downloading compiled tarball from upstream. -- #!/bin/bash TMP=`mktemp -d /tmp/ff.` mv $1 ${TMP}/ pushd ${TMP} FFOX=`echo $1 |sed -e s?"\.tar\.bz2"?""?` tar -jxf ${1} chown -R root:root firefox mv firefox /usr/local/${FFOX} popd pushd /usr/local rm -f firefox && ln -s ${FFOX} firefox popd rm -rf ${TMP} - $1 is the FireFox downloaded from upstream (compiled) Installing it as root means I am safe from malware over-writing bits of it, but I do have to manually download. /usr/local/firefox/firefox then starts it - and old versions are preserved in case something breaks (I just change which one the /usr/local/firefox link points to - though I almost never have to revert) It's not RPM but there are too many advantages to newer FireFox for me to wait. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] C++11 and GCC 5+
This may be common knowledge to some, but it was new to me. Libraries that use C++11 and are compiled with GCC 4.8.x that CentOS 7.x has are NOT binary compatible with GCC 5.x or newer. It seems to only effect C++11. What you have to do - create /opt/gcc55 (or whatever) Rebuild any libraries that use C++11 that you need in something compiled with GCC 5+ and install them within that prefix. Then point to them in that prefix when building what you need to build. -=- The Linux runtime linker seems to get it right (as long as you have /opt/gcc55/lib64 in path) and not load wrong version of library, so you don't need to use rpath. But you do need to have a version of the dependency compiled with the GCC you want available at both compile time and runtime. -=- I ran across this issue when building Audacity 2.2.2 - which does not build with GCC 4.8.5. The problem libraries: * flac * vamp-sjdk-plugin * wxGTK3 All three of those use C++11 and therefore needed to be rebuilt with GCC 5.5.0 (what I used for building Audacity) Just thought I'd pass it along. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] dumb shared library question
Binary compiled on a system with ggc 5.5.0 w/ libstdc++.so.6.0.21 Because the major version is libstdc++.so.6 there shouldn't be any problems running it on CentOS 7 with libstdc++.so.6.0.19, right? ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Passwords in plain text
On 06/17/2018 09:11 AM, Alice Wonder via CentOS wrote: On 06/17/2018 08:52 AM, Michael Hennebry via CentOS wrote: I'm petty sure I messed up attributions, so am deleting them. I believe this is a DMARC issue. Yahoo, among other places, has set their dmarc records to p=reject: So, if your mail hosting provider enforces dmarc,(gmail does) and you get mail from a list that doesn't rewrite the headers, and people from places like yahoo post to the list, you'll likely get some form of warning about being being kicked off the mailing list every now and then. The frequency depends on how often people from p=reject places post, and what the settings are for bounce handling of the mailing list in question. This is indeed what happened. An email from yahoo.com.uk caused gmail to reject all the mails sent by that user because of the yahoo DMARC settings. Say it isn't so: *An* e-mail, just *one* from yahoo.com.uk caused every gmail user to have his account disabled. I'd heard of the DMARC thing with mailing lists before, but had not known it enabled single e-mails of mass destruction. I run dmarc on my mail server but only in report mode, it doesn't reject. I did it as a test (for years) and am fully convinced that dmarc is worthless for real world protection. Numerous mail lists out there are configured in such a way that dmarc gets triggered and that just isn't going to change. It's a neat idea but it's not backwards compatible with the way SMTP already works. I can not recommend its use. I do recommend mail server software update if possible to be compatible but I just can not recommend mail servers enforce dmarc. DKIM is a good thing, but dmarc breaks things too badly. Even DKIM though is of limited usefulness - it seems the spammer blacklists don't really care. Even with proper DKIM signature on a domain with correct reverse DNS set up for years, they will still add you to the spam blacklist if any other host on your subnet is identified as a spammer. So even the blacklists don't really utilize this anti-spam anti-spoof technology, which makes it kind of worthless. Using DKIM as one of several factors in spamassassin though is possibly helpful, though most spammers these days have a validating DKIM sig. ___ Let me put it this way - in the several years of running dmarc is report only mode, over 99% of reported violations are false positives from mail lists. That high of a false positive rate tells me it is broken technology. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Passwords in plain text
On 06/17/2018 08:52 AM, Michael Hennebry via CentOS wrote: I'm petty sure I messed up attributions, so am deleting them. I believe this is a DMARC issue. Yahoo, among other places, has set their dmarc records to p=reject: So, if your mail hosting provider enforces dmarc,(gmail does) and you get mail from a list that doesn't rewrite the headers, and people from places like yahoo post to the list, you'll likely get some form of warning about being being kicked off the mailing list every now and then. The frequency depends on how often people from p=reject places post, and what the settings are for bounce handling of the mailing list in question. This is indeed what happened. An email from yahoo.com.uk caused gmail to reject all the mails sent by that user because of the yahoo DMARC settings. Say it isn't so: *An* e-mail, just *one* from yahoo.com.uk caused every gmail user to have his account disabled. I'd heard of the DMARC thing with mailing lists before, but had not known it enabled single e-mails of mass destruction. I run dmarc on my mail server but only in report mode, it doesn't reject. I did it as a test (for years) and am fully convinced that dmarc is worthless for real world protection. Numerous mail lists out there are configured in such a way that dmarc gets triggered and that just isn't going to change. It's a neat idea but it's not backwards compatible with the way SMTP already works. I can not recommend its use. I do recommend mail server software update if possible to be compatible but I just can not recommend mail servers enforce dmarc. DKIM is a good thing, but dmarc breaks things too badly. Even DKIM though is of limited usefulness - it seems the spammer blacklists don't really care. Even with proper DKIM signature on a domain with correct reverse DNS set up for years, they will still add you to the spam blacklist if any other host on your subnet is identified as a spammer. So even the blacklists don't really utilize this anti-spam anti-spoof technology, which makes it kind of worthless. Using DKIM as one of several factors in spamassassin though is possibly helpful, though most spammers these days have a validating DKIM sig. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS Kernel Support
On 06/14/2018 08:00 AM, Peter Kjellström wrote: On Thu, 14 Jun 2018 16:26:27 +0200 Gianluca Cecchi wrote: ... The src.rpm for that kernel is probably available somewhere. I'm fairly certain you cannot download the SRPM for EUS kernels. You might if you're a Red Hat customer paying for that product (but don't take my word for it). ... I agree for the format of release (SRPM), but in any case Red Hat should provide the sources for the changes, as the kernel is GPL-2.0 Then one can manually try to merge them in a patched kernel in some way... Gianluca Redhat of course complies with the GPL and provide source to the customers that get access to the binary packages. They are not required to provide the sources to anyone else. /Peter Yes that's why I said somewhere. At least in the past there have been people who made their own mirrors of RHEL exclusive source packages (which the GPL allows). I don't know who does now, but someone somewhere probably does. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS Kernel Support
On 06/13/2018 02:33 PM, Jonathan Billings wrote: On Jun 13, 2018, at 4:47 PM, Ken Young wrote: Is anyone on the mailing list aware of anyone who supports older versions of CentOS kernels? Particularly, I am interested in getting security patches added to kernel-3.10.0-514.10.2.el7.src.rpm. Please let me know. As far as CentOS support, only the latest kernel is supported. This really means that *you* are now the only support for old kernels. You might be able to pay Red Hat for an Extended Update Support release of RHEL7 that has a similar version (kernel-3.10.0-514.51.1.el7) but support ends November 30 2018. https://access.redhat.com/articles/rhel-eus The src.rpm for that kernel is probably available somewhere. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Articles on OpenSSH and Personal Git
Hi, Wrote a couple articles on OpenSSH and on running your Git server in a CentOS 7 environment https://notrackers.com/the-command-line/openssh-primer/ and https://notrackers.com/the-command-line/setting-up-your-own-git-server/ And the domain name is honest, there no trackers on that blog. None. (that blog is actually for a WordPress project not ready for general use but it seemed like a good place for the articles too) -=- I am sure they aren't perfect, but they may be of assistance to some. Any blatant mistakes, I am not above correction. Git article needs SELinux instructions added for web content served outside of /var/www/html and the public web git viewer I'm planning to fork to fix some issues I have it (I'll contribute patches back if they want them) I still need to find a CI solution (alternate to Travis-CI) that works just from standard Git - e.g. a git hook when pushing commits or tagging a release that pings the CI solution causing it to do a standard git pull to run the build and unit tests. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] git public web frontends
On 06/06/2018 09:08 PM, Keith Keller wrote: On 2018-06-06, Alice Wonder wrote: I'll be putting those in /srv/git and using a different username than the account for my private git repositories. But... can anyone recommend a web front end? Another recommendation for Gitlab. For maximum flexibility you can just run it out of a Docker container with appropriate volume mounts for persistent data. --keith I'm actually using something called GitList. Simple and I like simple. The 0.6 version had remote code execution bug so I do have to go through the code and make sure all proper validation is done, but what I want to do is simple and what GitList does is simple. I don't like overly complex solutions even when there are installers that make it seem simple. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] git public web frontends
Hello, Set up a CentOS 7.5 VM linode for git now that github has been bought. I'm not anti-microsoft but I'm worried they will make changes that I don't like (e.g. requiring ms account, changing billing, etc.) so I figured better take control now. Currently moving my private repos and have them set up in my home directory there, but my public repos - I want to set them up with a web interface so people can browse them etc. and do a git clone w/o needing authentication. I'll be putting those in /srv/git and using a different username than the account for my private git repositories. But... can anyone recommend a web front end? It doesn't need to be as fancy as github but it does need to parse markdown as all my documentation is in markdown. Thanks for suggestions. Preferably something that "just works" with CentOS 7. -=- What would be fantastic is if someone made some kind of federation type service similar to how Mastodon works that lets public git repositories that opt in be found without needing to be on a centralized server. But I doubt that currently exists. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] get unicode ranges from a TTF ???
I received excellent advice on this that works - https://twitter.com/FakeUnicode/status/991916370752229376 ttx -t cmap -d . Dosis-v2031b-200ExtraLight.otf for example produces an XML file with the Unicode numbers that I can parse to figure out the range covered. On 05/01/2018 09:52 PM, Alice Wonder wrote: Hello list, Is there a command line tool I run on a ttf font and get a list of the Unicode Ranges for that that font that would be compatible with the unicode-range: parameter in a CSS @fontface declaration? I'm guessing something in the python world probably exists... Hopefully something that works in CentOS 7 I need something like that for a FLOSS font server project that doesn't track users. I don't feel a need to split up a font by unicode range, but a lot of fonts are already split by their upstream developers according to language support - e.g. the Noto Fonts, the main font has a lot of glyphs but Hebrew for example is in it's own font file already. I want to be able to get the range information for what the fonts support. Thanks for any tips. My font server project I need it for is at https://github.com/AliceWonderMiscreations/FlossWoff2 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] get unicode ranges from a TTF ???
Hello list, Is there a command line tool I run on a ttf font and get a list of the Unicode Ranges for that that font that would be compatible with the unicode-range: parameter in a CSS @fontface declaration? I'm guessing something in the python world probably exists... Hopefully something that works in CentOS 7 I need something like that for a FLOSS font server project that doesn't track users. I don't feel a need to split up a font by unicode range, but a lot of fonts are already split by their upstream developers according to language support - e.g. the Noto Fonts, the main font has a lot of glyphs but Hebrew for example is in it's own font file already. I want to be able to get the range information for what the fonts support. Thanks for any tips. My font server project I need it for is at https://github.com/AliceWonderMiscreations/FlossWoff2 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Question on CentoS 7.4 on nvidia
That's what I get too - 01:00.0 VGA compatible controller: NVIDIA Corporation GT218 [GeForce 405] (rev a2) It works fine for me with mate with this: kernel-3.10.0-693.5.2.el7.x86_64 kmod-nvidia-340xx-340.102-4.el7_4.elrepo.x86_64 I've had problems with gnome 3 and nvidia before, but haven't tested in a very long time, been running mate for years. On 12/14/2017 01:51 PM, Jerry Geis wrote: I installed the elrepo kmod-nvidia and also the nvidia-detect and modules (see below). I had X working with the 3.10 from Centos - but video was freezing. SO I thought I would try the elrepo kernel. I installed that and X does not come up? How do I re-make the nvidia module for 4.14.5 kernel? I want to make sure the kmod kernel did it. I 'm thinking it did not. lspci | grep VGA says GT218 Or what do I look at now to see why X is not coming up? Thanks, Jerry uname -r 4.14.5-1.el7.elrepo.x86_64 grep EE /var/log/Xorg.0.log (WW) warning, (EE) error, (NI) not implemented, (??) unknown. [ 136.998] (EE) NVIDIA: Failed to initialize the NVIDIA kernel module. Please see the [ 136.998] (EE) NVIDIA: system's kernel log for additional error messages and [ 136.998] (EE) NVIDIA: consult the NVIDIA README for details. [ 136.998] (EE) No devices detected. [ 136.998] (EE) [ 136.998] (EE) no screens found(EE) [ 136.998] (EE) [ 136.998] (EE) Please also check the log file at "/var/log/Xorg.0.log" for additional information. [ 136.998] (EE) [ 137.004] (EE) Server terminated with error (1). Closing log file. uname -a rpm -qa | grep kernel kernel-3.10.0-693.el7.x86_64 kernel-tools-3.10.0-693.5.2.el7.x86_64 abrt-addon-kerneloops-2.1.11-48.el7.centos.x86_64 kernel-headers-3.10.0-693.5.2.el7.x86_64 kernel-ml-devel-4.14.5-1.el7.elrepo.x86_64 kernel-devel-3.10.0-693.el7.x86_64 kernel-3.10.0-693.5.2.el7.x86_64 kernel-ml-4.14.5-1.el7.elrepo.x86_64 kernel-tools-libs-3.10.0-693.5.2.el7.x86_64 kernel-devel-3.10.0-693.5.2.el7.x86_64 [root@mediaport14 ~]# rpm -qa | grep kernel-ml kernel-ml-devel-4.14.5-1.el7.elrepo.x86_64 kernel-ml-4.14.5-1.el7.elrepo.x86_64 # rpm -qa | grep nvidia kmod-nvidia-340xx-340.102-4.el7_4.elrepo.x86_64 nvidia-detect-384.90-1.el7.elrepo.x86_64 yum-plugin-nvidia-1.0.2-1.el7.elrepo.noarch nvidia-x11-drv-340xx-340.102-1.el7.elrepo.x86_64 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Broadcom BCM4360
On 12/04/2017 01:34 AM, Nicolas Kovacs wrote: Le 04/12/2017 à 01:22, Gregory P. Ennis a écrit : I just purchased a new wfi card that is identified as using lspci as : Broadcom Limited BCM4360 802.11ac Wireless Network Adapter (rev 03) I have not been able to get it to work Centos 7.4 machine. Some of the centos user posts had indicated the nux repsitory had a Centos 7 kmod- wl, but it is not present when I tried to search or or install it at this time. Has anyone had any success in making the Broadcom BCM4360 chip work for Centos 7.4 Some time ago I installed CentOS 7 on a MacBook Pro with a Broadcom wireless card. The card was a PITA to configure, but it works perfectly now. I wrote an article about it. It's in French, but the *nix bits are universal. :o) https://blog.microlinux.fr/centos-7-macbook-pro/#rezo-wifi Cheers, Niki lspci |grep -i broad 02:00.0 Network controller: Broadcom Limited BCM4360 802.11ac Wireless Network Adapter (rev 03) That's my broadcom chip and it works in CentOS 7.4 with the kmod-wl-6_30_223_271-4.el7.centos.x86_64 rpm built from the previously mentiones nosrc rpm. I might have bumped the release tag when rebuilding it, don't remember. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Broadcom BCM4360
On 12/03/2017 11:10 PM, Phil Perry wrote: On 04/12/17 00:38, John R Pierce wrote: On 12/3/2017 4:22 PM, Gregory P. Ennis wrote: I have not been able to get it to work Centos 7.4 machine. Some of the centos user posts had indicated the nux repsitory had a Centos 7 kmod- wl, but it is not present when I tried to search or or install it at this time. this looks potentionally helpful http://elrepo.org/tiki/wl-kmod it appears those are closed source drivers with funky licenses, so they can't just be redistributed without assumption of liability. Correct, elrepo isn't able to freely redistribute the drivers due Broadcom's licensing, but does provide instructions and a SRPM (minus tarball) for you to build yourself. That's what I have to do, and it can sometimes be a PITA because a kernel update can break it and you have to build it again. With major updates (like 7.3 to 7.4) you sometimes have to download a new nosrc rpm. Alternatively, for $8 you can purchase an adaptor that is natively supported and will work out of the box: https://www.amazon.com/Edimax-EW-7811Un-150Mbps-Raspberry-Supports/dp/B003MTTJOY/ref=sr_1_1?ie=UTF8=1512370979=8-1=edimax+n150 https://www.newegg.com/Product/Product.aspx?Item=N82E16833315091_re=edimax_n150-_-33-315-091-_-Product The above adaptor is based on the Realtek RTL8188CUS chipset and uses the rtl8192cu kernel driver. At some point I will be replacing mine, but with a low-profile PCI-E card. I've had bad luck with USB wifi adapters, sometimes for example they lose connection when a microwave is turned on and when I was visiting my parents, had one that lost connection whenever the AC unit kicked on. My best wifi experience in Linux has been with my T series thinkpad, it uses some kind of Intel wireless chipset that is in the kernel. I'm going to be looking for a low profile Intel PCI-E card, but for now my broadcom PCI-E actually works quite well - with the exception of needing to rebuild every now and then (last time was 7.3 to 7.4 update) ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] modestly priced laptop for C7
On 11/02/2017 10:41 AM, Fred Smith wrote: I'm looking to replace my (old, creaky) netbook (Acer Aspire One D255e, a screaming dual core 1.6 GHz Atom, and a whole 2 gigs of RAM) with something faster but not too large. Sometimes (usually) the netbook is painfully slow. Something like a hi-res 14 (or 15) inch screen (full HD), minimum of 4 gigs RAM, HD of a half terabyte or bigger. I'd like to not have to go over 600-700 dollars, so I know my choices are somewhat limited if I want to avoid the 400-500 dollar windows 10 junk^H^H^H^Hsystems from BJs, etc. Something with a quad-core processor, and all hardware works with C7. I've glanced at Lenovo Thinkpads on amazon where there are several "factory refurbished" ones with similar specs to what I mention above in the $500-700 range, but I don't know if they're any good or not I'm open to suggestions from any/all of you! thanks in advance! Fred CentOS works well on T-Series thinkpads but be careful of the video, some use an nvidia card which at least historically had issues in Linux that caused the battery to run down faster and caused the laptop to run hot. T series thinkpads use Intel wifi that "just works" with CentOS - at least in my limited experience. Many laptops require 3rd party drivers with proprietary firmware to get the wifi working, which can be a pain in the neck when point release update happens (e.g. 7.3 to 7.4) because you then have to rebuild the RPM in the new point release or the driver won't work, and often that means downloading a new nosrc.rpm - which may not immediately be available. Somewhere there's a list of wifi hardware that works out of the box with the Linux kernel, whatever brand you buy I would recommend the wifi device is on that list. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Incorrect characters in Chinese font
On 10/29/2017 03:12 PM, H wrote: On 10/29/2017 03:49 PM, Frank Cox wrote: On Sun, 29 Oct 2017 15:03:49 -0400 H wrote: I had three characters I was not able to translate and after much hair-pulling realized to my surprise that they may be incorrectly drawn in Centos 7. My first guess would be a faulty characters in whatever font you're using. Compare it with a working font and see if that's the problem. Type the problematic characters into a text editor. Change the font in the text editor to a different one. Did the character suddenly become correct? If so, you've found the problem. Then the short-term fix is to use a different (correct) font and the long-term solution will start with filing a bug report against the faulty font. Frank, you are right. I switched from Monospace to DejaVu Sans and the three characters are correctly depicted. Now, how do I report the problem with the Monospace font used in CentOS 7? Monospace is probably not the name of the font, but is telling the application to use the default monospace font - which may be set by something else. What application is it? It's quite possible that Monospace is actually DejaVu Sans Mono or Liberation Mono or whatever the URW equivalent to Courier is. If the glyph is one that uses combining unicode code-points, many monospace fonts do not support all of them properly. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] /var/run/... being deleted :((
On 10/11/2017 12:20 PM, Lamar Owen wrote: On 09/21/2017 08:14 AM, hw wrote: what keeps deleting files and directories under /var/run? Having them deleted is extremely annoying because after a reboot, things are suddenly broken because services don´t start. *snip* The fact of the matter is that the EL7 behavior is to store /var/run in a temporary way, and that's not at all likely to be changed in EL7, *snip* When I need daemon (or other not human user) produced data to persist a reboot, I use /srv - I don't know if that is technically correct or not, but it seems highly unlikely /srv would ever be a candidate for wipe on boot. Perhaps the package in question could simply be patched to use /srv ?? ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] /boot partition too small
On 10/10/2017 07:04 AM, Vanhorn, Mike wrote: If there are many old kernels in there, you can probably remove the oldest one(s) to make room for newer ones. This is what I do. When /boot hits about 80% I go through and remove old kernels I will never boot into anyway. Usually that's at four kernels. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Thunderbird in CentOS 7.4
On 09/27/2017 11:14 PM, Phil Perry wrote: On 28/09/17 04:19, Alice Wonder wrote: With the current Thunderbird I can not connect to one of my IMAP servers that uses a self-signed cert. Virtually identical IMAP servers that use CA signed certs work I was a bit out of date when I updated to 7.4 and was running Thunderbird 45.6.x and it worked. When I connected from evolution (which I do not like) it worked. When I connected with my laptop still running 45.6.x it works. so - I rebuilt thunderbird 45.8.0 from 7.3 updates (newest that isn't 5x.x.x series) and did an --oldpackage update with RPM and it works again. When rebuilding the old thunderbird in mock I had to add the following: BuildRequires: dbus-glib-devel Either the build system used by CentOS automatically includes that, or a build dependency use to pull that it but no longer does. Anyway if anyone is having a similar problem, that's a solution. -=- This is what I see in the mail server log when current CentOS thunderbird tries to connect: Sep 25 20:17:49 librelamp dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=2600:1010:b064:f260:e83e:562d:2316:18df, lip=2600:3c01::f03c:91ff:fee4:310c, TLS handshaking: SSL_accept() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48, session=<u7agQAlasK8mABAQsGTyYOg+Vi0jFhjf> --- Since it works with current evolution and with older thunderbird, I assume it is a bug in current thunderbird when the server is using a self-signed cert. Don't know if same thing happens on pop. I use IMAP on 143 using starttls I have no problem using a self-signed cert on my own private mail server, although admittedly I'm using POP, not IMAP. Have you imported your certificate(s) in thunderbird? Preferences > Advanced > Certificates When Thundirbird first attempts it offers to import. Under older version it only asks once, and when I import, it's fine until I replace the certificate (once a year, cert is good for three years but I generate new once a year - I just make it good for three in case life gets in the way). The nee thunderbird continually asks but still fails to connect. However as soon as I switched back to the older version, it didn't even need to ask because I had already made an exception for that certificate. Old thunderbird works as expected, new doesn't. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Thunderbird in CentOS 7.4
With the current Thunderbird I can not connect to one of my IMAP servers that uses a self-signed cert. Virtually identical IMAP servers that use CA signed certs work I was a bit out of date when I updated to 7.4 and was running Thunderbird 45.6.x and it worked. When I connected from evolution (which I do not like) it worked. When I connected with my laptop still running 45.6.x it works. so - I rebuilt thunderbird 45.8.0 from 7.3 updates (newest that isn't 5x.x.x series) and did an --oldpackage update with RPM and it works again. When rebuilding the old thunderbird in mock I had to add the following: BuildRequires: dbus-glib-devel Either the build system used by CentOS automatically includes that, or a build dependency use to pull that it but no longer does. Anyway if anyone is having a similar problem, that's a solution. -=- This is what I see in the mail server log when current CentOS thunderbird tries to connect: Sep 25 20:17:49 librelamp dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=2600:1010:b064:f260:e83e:562d:2316:18df, lip=2600:3c01::f03c:91ff:fee4:310c, TLS handshaking: SSL_accept() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48, session=--- Since it works with current evolution and with older thunderbird, I assume it is a bug in current thunderbird when the server is using a self-signed cert. Don't know if same thing happens on pop. I use IMAP on 143 using starttls ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] 7.4 network issues
On 09/25/2017 01:10 AM, Phoenix, Merka wrote: Alice, Two onboard nics, Intel, eno1 and eno2 If either of them is set to onboot then network won't start. one error message says :bad vendor preset disabled This bug report from the upstream vendor (RH) for RHEL 7 might help in troubleshooting what's causing the error message: See: https://bugzilla.redhat.com/show_bug.cgi?id=1399448 Apparently something "broke" (changed) between 7.2 and 7.3 in how the networking scripts bring up the interfaces. Cheers! I'll figure that out later. I found a USB key in my camera bag (I'm out of town, but took my desktop with me) and used the updated src.rpm from elrepo for my wireless. So it connects now. I need to get an Intel wireless nic with drivers in the kernel, that's what my thinkpad has and it always just works. I'll figure out what's up with the wired connections later. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] 7.4 network issues
Two onboard nics, Intel, eno1 and eno2 If either of them is set to onboot then network won't start. one error message says :bad vendor preset disabled Another error message (in red) says Failed to start LSB If I can find a USB key there is an updated kmod-wl src.rpm that *may* bring up my wifi, but I am not sure I have access to a USB key at the moment. The motherboard is supermicro and the onboard nics are Intel which I thought were well supported, but I do remember going from 7.2 to 7.3 on a server IPv6 was bricked because of changes to how the /sbin/ifconfig scripts were configured. This one (is a xeon, server board, but its my desktop) I think started life as 7.2 and was at 7.3 before this update - in case there's a similar issue with incompatibilities with config file after update. I've not used the nics before, always just used wifi. What's the secret to getting them to connect via dhcp onboot at least long enough to try and get the broadcom wifi working again? -- -=- Sent my from my laptop, may not be able to respond timely ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Bricked my system
I got in and removed that kmod and got it booted. Now I have to figure it out why it won't connect via ethernet even though its set to DHCP and should. Seems every major CentOS update changes the network stuff in a way that causes headaches. That's probably just my frustration speaking but that's what it feels like. On 09/25/2017 12:24 AM, Frank Cox wrote: On Mon, 25 Sep 2017 00:18:16 -0700 Alice Wonder wrote: It's caused by the wl-whatever kmod update I tried trying to get network back, but I can't remove that rpm if I can't boot. https://www.centos.org/docs/5/html/Installation_Guide-en-US/s1-rescuemode-boot.html -- -=- Sent my from my laptop, may not be able to respond timely ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Bricked my system
Updated to CentOS 7.4 No wifi. The wifi was using wl-something driver that had third party firmware but it wasn't seen. Attempted to get network with ethernet from the mobo to router but it wouldn't come up. So I rebuilt the wl-whatever kernel module and installed the updated version built against the newer kernel. Now when attempting to boot it gets stuck at "i8042 no controller found" and stops. That message is always there, either lack of serial port or lack of PS/2 ports - I forget - but the boot now hangs there. It's caused by the wl-whatever kmod update I tried trying to get network back, but I can't remove that rpm if I can't boot. Help. -- -=- Sent my from my laptop, may not be able to respond timely ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Headphones volume control not working in CentOS 7
On 07/28/2017 03:28 PM, Bernard Lheureux wrote: Hi all, I hope someone could enlighten me... How could I resolve the fact that the volume controls of all the headphones I try on CentOS 7 are not working, they are OK on CentOS 6 but impossible to make them work on my Thinkpad Laptop with an iPhone headphones or a Marshal Monitor plugged with a jack connector... Those 2 headphones work correctly in CentOS 6... What could I do to get the same behavior on CentOS 7 and this damned Gnome 3 ? Thanks for your help... Not sure, volume control on my USB headphones work just fine on CentOS 7. Both on the headphones itself and from the desktop. On both my home built PC and on my Thinkpad T410 (where it also works from volume buttons on keyboard) I use MATE though, but I don't know if that is why. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] TeX Live on CentOS 7
On 07/21/2017 10:18 PM, Nicolas Kovacs wrote: Le 21/07/2017 à 23:14, Alice Wonder a écrit : I always install official TeXLive in /usr/local/texlive - yum update thanks me. Every few months I update it, but keeping it outside of RPM means I don't get tons of individual packages, many that I never use, constantly updating in yum. And how do you manage conflicts with packages? Do you blacklist them in Yum's repo configuration? And how about the stuff dependending on them? Install it manually using --nodeps? Niki There aren't any conflicts. I did make the following file: # /etc/profile.d/texlive.sh #if [ ${UID} -gt 1000 ]; then export PATH=/usr/local/texlive/2016/bin/x86_64-linux:$PATH #fi If a package on my system wants a CentOS texlive as dependency it gets it, there are texlive packages installed. But users get the texlive in /usr/local/texlive The directory /usr/local/texlive is owned by a user:group texlive:texlive and I log in as that user to run tlmgr to update the install. -- -=- Sent my from my laptop, may not be able to respond timely ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] TeX Live on CentOS 7
I always install official TeXLive in /usr/local/texlive - yum update thanks me. Every few months I update it, but keeping it outside of RPM means I don't get tons of individual packages, many that I never use, constantly updating in yum. On 07/21/2017 11:46 AM, Denniston, Todd A CIV NAVSURFWARCENDIV Crane, JXVS wrote: -Original Message- From: Nicolas Kovacs [mailto:i...@microlinux.fr] Sent: Friday, July 21, 2017 2:29 AM To: CentOS Subject: [CentOS] TeX Live on CentOS 7 Hi, I just installed the OpenVAS vulnerability scanner on my CentOS 7 workstation. Everything seems to work fine, except PDF generation. The 'openvas-check-setup' script tells me that PDF generation works fine, but whenever I want to generate a report, the result is unusable and can't open in Evince or Okular. After googling a bit, I found out that several users complained that Tex Live is broken under RHEL/CentOS 7. While I did use LaTeX a long time ago to write documents, I don't use it anymore nowadays (just Markdown or LibreOffice). But I do need a working installation of TeX Live for OpenVAS PDF reports. What can I do now? Perform a manual installation of TeX Live with their provided installer (to /opt) and then blacklist all texlive* packages? I admit I'm a bit surprised that a distribution like RHEL/CentOS that prises quality wouldn't provide a working TeX Live in their package repositories. Any suggestions? The users that were complaining, were they all OpenVAS user? Going from my experiences on CentOS 6, I find it surprising that LaTeX is not working. Does even the trivial.tex from [0] compile? Can you get the LaTeX file that OpenVAS is generating, and on the command line run pdflatex (or other latex compile command) on it and capture the error messages? This might point to missing packages/fonts. It may be possible that not enough of texlive has been installed. I tend to do a `yum install \*latex\*` (and answer no) to see what is available and then install every latex thing that is not a -devel package. That way I never have to think about getting packages again, or if I do I will pretty much know I'll have to get it from CTAN myself. seeing [1] from the opanvas wiki makes me think you should try `yum install \*latex\*extra\*` and see if it is now available. And as seen elsewhere [2] sometimes rpm packager's don't name them the same as LaTeX packagers. And it looks like[3] a lot of folks take the same 'trash the distro' perspective as openvas[1] which is unfortunate. Perhaps we could ask the CentOS-extras (and a RHEL or EPEL ticket) folks if they would be willing to rebuild the needed packages from an old Fedora RPM if they are not yet available in a EL repository. Have you checked EPEL? [0] https://www.centos.org/forums/viewtopic.php?t=48421 [1] https://wiki.openvas.org/index.php/Generate_a_PDF_report#CentOS_7 [2] https://tex.stackexchange.com/a/166140 [3] https://www.centos.org/forums/viewtopic.php?t=54410 -- Even when this disclaimer is not here: I am not a contracting officer. I do not have authority to make or modify the terms of any contract. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos -- -=- Sent my from my laptop, may not be able to respond timely ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Extreme frustration with GIMP
I am not a graphics person. Also can't afford to hire one. Trying to follow instructions at https://docs.gimp.org/en/gimp-tutorial-quickie-separate.html I use the "intelligent scissors" just like they say, spend quite a bit of effort doing so. Then click the foreground select tool - just like they say - and suddenly everything I did with the intelligent tool is undone. WTF? Does anyone know of an actual GIMP tutorial for removing background that doesn't cause me to throw a damn brick through my monitor? Photoshop makes it easy, but clearly GIMP developers have a completely different philosophy on how a graphics tool should work and I can't figure out what their philosophy is. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] GPX files
At one point in time I wrote a script that converted gpx to kml so I could view them in Google Earth but it's been years since I did that. I don't know if Google Earth for Linux still exists. On 05/30/2017 04:02 PM, J Martin Rushton wrote: I have a Garmin 78s marine GPS receiver and it stores tracks in GPX format. This is an XML encoded set of points giving longitude, latitude, time and sea depth. Garmin support viewing this via their Garmin Express product, but there only seem to be Windows and Mac versions. I've emailed them and await a reply. In the mean time, does anyone know of any Linux products that will emable me to view track data on a decent sized screen? I don't want to re-invent the wheel by coding up a hack myself. Thanks, Martin ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Low random entropy
On 05/27/2017 08:32 PM, Robert Moskowitz wrote: On 05/26/2017 08:35 PM, Leon Fauster wrote: Am 27.05.2017 um 01:09 schrieb Robert Moskowitz: I am use to low random entropy on my arm boards, not an intel. On my Lenovo x120e, cat /proc/sys/kernel/random/entropy_avail reports 3190 bits of entropy. On my armv7 with Centos7 I would get 130 unless I installed rng-tools and then I get ~1300. SSH into one and it drops back to 30! for a few minutes. Sigh. Anyway on my new Zotac nano ad12 with an AMD E-1800 duo core, I am seeing 180. I installed rng-tools and no change. Does anyone here know how to improve the random entropy? http://issihosts.com/haveged/ EPEL: yum install haveged WOW!!! installed, enabled, and started. Entropy jumped from ~130 bits to ~2000 bits thanks Note to anyone running a web server, or creating certs. You need entropy. Without it your keys are weak and attackable. Probably even known already. Indeed. Installing haveged is the first thing I do when setting up a new CentOS 7 machine. Rebooting and verifying it starts on boot is the second. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] What's Next
On 05/16/2017 09:54 PM, John R Pierce wrote: On 5/16/2017 8:34 PM, Eugene Poole wrote: OK, AMD has announced it's new line of server and desktop processors. What level of CentOS has been tested on them? OK then, when will CentOS be tested on them? Or do we wait for Red Hat? If AMD's new CPUs aren't 100% compatible with existing software w/o needing special versions, AMD is shooting themselves in the foot. There's a difference between compatible and optimal. I can use my nVidia card with CentOS without needing to install any special drivers. It will work. However it works better with drivers specifically designed for it. The same *may* be true of chipsets for AMD. I do not know, but would like to know. It's possible that it will install and boot but work better with drivers that Red Hat does not (yet) include in their kernel. Time will tell. I suspect if that is the case and if AMD is open with their chipset that RHEL engineers will backport the drivers. But that may not be an issue so I guess it is wait and see, unless someone knows. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SAN certificates for multiple domains and multiple services
I'm not sure I understand fully what you are doing but for postfix, use self-signed certs. I have a script for generating a self-signed X.509v3 with SAN https://github.com/AliceWonderMiscreations/SimpleCA/blob/master/keyGenMX_Dane.sh (that project is not even close to being ready yet, ignore the various .md files there, but that particular script is ready and I use it in production) The way that script is used - sh keyGenMX_Dane.sh example1.com example2.com example1.net example2.net It will create a self-signed X.509v3 certificate with SAN for whatever domains are listed as arguments. It creates a 3-year certificate, you can edit it to do longer if you want. It creates 3072-bit RSA but you can edit the script to do 2048 or 4096 if you prefer. Whatever you use, it is recommended your postfix be configured to use DH parameters of equal or greater bits. It also calculates the DANE TLSA fingerprints if you want to use those with DNSSEC but you don't have to. -=- Spending money on a commercial CA signed certificate for postfix is a waste of money because other servers don't check the certificate before sending, because the alternative to encryption is plain text anyway. On 04/28/2017 01:37 AM, Nicolas Kovacs wrote: Hi, I'm currently installing and configuring CentOS 7 on a public server. The machine will host a few small-to-midsize projects that are currently running on a handful of Slackware servers: public library databases, our public school's agenda, a small webradio, OwnCloud for myself and a local non-profit, etc. Until recently I've mostly used self-signed SSL certificates for stuff needing a secure connection. Then, some time ago, I discovered LetsEncrypt and Certbot, which works very well, so I moved secure web hosting to using a free LetsEncrypt certificate. Now I want to take this to the next level and use these free certificates for multiple services. Not only web hosting, but also Postfix/Dovecot for mail and Prosody for XMPP. I had to fiddle a bit for permissions, so everything can access the certificate and key files right. I created a certs group and gave everything under /etc/letsencrypt/live to root:certs. Then, when a system user has to access this stuff, I simply add him to the certs group. Then came a moment when I hit a wall, because Postfix can't handle multiple certificates, only one. Let's say I have these domains on my server: * example1.com * example2.com * example1.net * example2.net When setting up Postfix, I can do one of these things: 1. continue to use a self-signed SSL certificate 2. choose one "preferred" domain on my server 3. setup multi-domain (SAN) certificates I tried the SAN certificates (after experimenting a lot and getting it right), and this stuff seems to work. I have one big bundle of certificates stored under /etc/letsencrypt/live/sd-41XXX.dedibox.fr (sd-41XXX.dedibox.fr being my server's FQDN), and I have all the certificates for all domains and subdomains of example1.com, example2.com, example1.net and example2.net. So before I go any further with this, I'm asking the more technically proficient admins here. Are there any drawbacks to using this solution? Is it problematic to bundle all my certificates into one big fat SAN certificate? This being said, the machine will host a maximum of two dozen domains, each with a handful of subdomains like mail.example1.com, xmpp.example1.com, etc.) Cheers, Niki Kovacs ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] What besides Postfix should not start until system time set?
On 04/20/2017 02:00 PM, Robert Moskowitz wrote: So I have learned that Postfix should delay until Chronyd has moved the system time from 0 to current. What other services need to be delayed? Apache? Bind? Of course if this is a nameserver, Chronyd will probably not be able to resolve the NTP server addresses until Bind is running! thanks I use unbound on all my servers listening only on the localhost, not sure if it needs the current time to be accurate when it starts or not but it never seems to be an issue. I'm of the opinion every server should have locally provided DNSSEC enforcing DNS services simply because it takes away a potential attack vector to have local DNS queries stay local. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Simple OCSP server ??
Oh I don't know, their github works. However it seems that it isn't able to deal with more than one ocsp signing key. On 04/16/2017 08:40 AM, Robert Moskowitz wrote: On 04/14/2017 10:41 PM, Alice Wonder wrote: https://www.openca.org/ might fit my needs. their Centos repo does not exist, it seems? On 04/14/2017 06:29 PM, Alice Wonder wrote: Hello list, I'm contemplating running my own CA to implement the new proposed ISP for validation of S/MIME certificates via DANE. I already use self-signed for my MX servers (with 3 1 1 dane records on TCP port 25) but I don't want to use self-signed for S/MIME for user specific x.509 certs because A) That's potentially a lot of DNS records B) That requires a hash of the e-mail addresses in DNS Instead, I will be using a wildcard in DNS with an intermediary that signs the user x.509 certificates. Using an intermediary to sign their certificates though means I can't just revoke their certificates by removing the DNS certificate, I'll need to provide an OCSP server for when one of their private keys gets compromised. I found https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/install-oscp.html but it looks like that is intended for enterprise, more complex than I need. Anyone know of a good simple script for providing OCSP ?? -=- Not relevant to question but just important for me to note, I will *not* be asking people to install my root certificate in their e-mail clients. I think it is a bad practice to get users in the habit of installing root certificates. I think the PKI system has way way way to many root certificates as it is. I want a world where DANE validates most certificates, and only a few root certificates are needed for things like banks where EV certificates are a must. DANE as a way to validate S/MIME I think will be a godsend to e-mail security, I hope clients implement it. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: systemd Poll - So Long, and Thanks for All the fish.
On 04/16/2017 06:51 AM, Andrew Holway wrote: There is no doubt that most security agencies have a long list of zero- day exploits in their toolbox - I would hazard to suggest that they wouldn't be doing their job if they didn't! But I seriously doubt they would commission exploitable code in something that is openly auditable. P. P., I used to think that too... indeed, I was thoroughly convinced of it. But reality changed my mind. Indeed. I think the assertion "OSS is somehow safer because of community audit" is a logical fallacy. How would one go about "auditing" in the first place? Even if the various Intelligence agencies are not injecting vulnerabilities then they would certainly be in a strong position to discover some of the holes already existing some time before they become public. I'm more worried about cloud services and the large number of root certificates that software trusts by default. That's where a lot of the hacks are going to happen, and AFAIK the only defense against it is DNSSEC + DANE which very few zones actually utilize. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Simple OCSP server ??
https://www.openca.org/ might fit my needs. On 04/14/2017 06:29 PM, Alice Wonder wrote: Hello list, I'm contemplating running my own CA to implement the new proposed ISP for validation of S/MIME certificates via DANE. I already use self-signed for my MX servers (with 3 1 1 dane records on TCP port 25) but I don't want to use self-signed for S/MIME for user specific x.509 certs because A) That's potentially a lot of DNS records B) That requires a hash of the e-mail addresses in DNS Instead, I will be using a wildcard in DNS with an intermediary that signs the user x.509 certificates. Using an intermediary to sign their certificates though means I can't just revoke their certificates by removing the DNS certificate, I'll need to provide an OCSP server for when one of their private keys gets compromised. I found https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/install-oscp.html but it looks like that is intended for enterprise, more complex than I need. Anyone know of a good simple script for providing OCSP ?? -=- Not relevant to question but just important for me to note, I will *not* be asking people to install my root certificate in their e-mail clients. I think it is a bad practice to get users in the habit of installing root certificates. I think the PKI system has way way way to many root certificates as it is. I want a world where DANE validates most certificates, and only a few root certificates are needed for things like banks where EV certificates are a must. DANE as a way to validate S/MIME I think will be a godsend to e-mail security, I hope clients implement it. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] connection state tracking with DNS [was Primary DNS...]
On 04/14/2017 06:54 PM, Gordon Messmer wrote: On 04/11/2017 04:16 PM, Alice Wonder wrote: Hi, I would like to see this addressed. Is there a firewalld solution to this issue? Yes: # Disable connection tracking for UDP DNS traffic # https://kb.isc.org/article/AA-01183/0/Linux-connection-tracking-and-DNS.html firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -m conntrack --ctstate UNTRACKED -j ACCEPT firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -m conntrack --ctstate UNTRACKED -j ACCEPT firewall-cmd --permanent --direct --add-rule ipv4 raw PREROUTING 100 -p udp -m udp --dport 53 -j CT --notrack firewall-cmd --permanent --direct --add-rule ipv4 raw PREROUTING 100 -p udp -m udp --sport 53 -j CT --notrack firewall-cmd --permanent --direct --add-rule ipv4 raw OUTPUT 100 -p udp -m udp --dport 53 -j CT --notrack firewall-cmd --permanent --direct --add-rule ipv4 raw OUTPUT 100 -p udp -m udp --sport 53 -j CT --notrack firewall-cmd --reload Thank you! ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Simple OCSP server ??
Hello list, I'm contemplating running my own CA to implement the new proposed ISP for validation of S/MIME certificates via DANE. I already use self-signed for my MX servers (with 3 1 1 dane records on TCP port 25) but I don't want to use self-signed for S/MIME for user specific x.509 certs because A) That's potentially a lot of DNS records B) That requires a hash of the e-mail addresses in DNS Instead, I will be using a wildcard in DNS with an intermediary that signs the user x.509 certificates. Using an intermediary to sign their certificates though means I can't just revoke their certificates by removing the DNS certificate, I'll need to provide an OCSP server for when one of their private keys gets compromised. I found https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Deploy_and_Install_Guide/install-oscp.html but it looks like that is intended for enterprise, more complex than I need. Anyone know of a good simple script for providing OCSP ?? -=- Not relevant to question but just important for me to note, I will *not* be asking people to install my root certificate in their e-mail clients. I think it is a bad practice to get users in the habit of installing root certificates. I think the PKI system has way way way to many root certificates as it is. I want a world where DANE validates most certificates, and only a few root certificates are needed for things like banks where EV certificates are a must. DANE as a way to validate S/MIME I think will be a godsend to e-mail security, I hope clients implement it. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bind vs. bind-chroot
On 04/13/2017 03:15 AM, Robert Moskowitz wrote: On 04/13/2017 04:23 AM, Alice Wonder wrote: On 04/13/2017 01:05 AM, Nicolas Kovacs wrote: Le 13/04/2017 à 04:27, Robert Moskowitz a écrit : But make sure to have SELinux enabled if you do not run it chrooted. I have mine running that way. I bluntly admit not using SELinux, because until now, I mainly used more bone-headed systems that didn't implement it. Maybe this is the right time to get started. I understand there's a wealth of information about SELinux. Any recommendations for a newbie-friendly primer? I don't mind to RTFM, even extensive documentation, but I prefer stuff that's well-written. Cheers, Niki I don't use SELinux because it gets in my way far more than it every actually protects me from anything. I'm sure there are systems where it absolutely is necessary, but I don't like to have stuff fail because I used mv instead of cp to install a certificate, for example. I need to do DNSSEC next; got to bother Mark Andrew over at ISC, did not get to sit down with him on this at IETF. So I don't know what certs I will need as yet. For my mailserver, I am using self-signed, and see my Apache setup, towards the end, how I create a set of certs: http://medon.htt-consult.com/Centos7-mailserver.html#Setting%20up%20Apache I had some help on this from the OpenSSL list. For authoritative DNS I also do not use chroot but authoritative DNS is all those servers do, and I use zones signed externally via DNSSEC (no private keys on the server) Something to consider, but I would do it on one of my internal systems. Not a third party; why should I trust them? Unless they are providing a full DNS PKI service. I meant DNSSEC signing is done externally to the authoritative DNS. I do the signing myself. Point being if someone hacked my authoritative DNS server, they could not alter my zone files in a way DNSSEC enforcing resolvers would accept because the signing keys are not there. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bind vs. bind-chroot
On 04/13/2017 01:05 AM, Nicolas Kovacs wrote: Le 13/04/2017 à 04:27, Robert Moskowitz a écrit : But make sure to have SELinux enabled if you do not run it chrooted. I have mine running that way. I bluntly admit not using SELinux, because until now, I mainly used more bone-headed systems that didn't implement it. Maybe this is the right time to get started. I understand there's a wealth of information about SELinux. Any recommendations for a newbie-friendly primer? I don't mind to RTFM, even extensive documentation, but I prefer stuff that's well-written. Cheers, Niki I don't use SELinux because it gets in my way far more than it every actually protects me from anything. I'm sure there are systems where it absolutely is necessary, but I don't like to have stuff fail because I used mv instead of cp to install a certificate, for example. For authoritative DNS I also do not use chroot but authoritative DNS is all those servers do, and I use zones signed externally via DNSSEC (no private keys on the server) ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Enterprise Linux Slack
On 04/12/2017 09:36 AM, Phelps, Matthew wrote: On Wed, Apr 12, 2017 at 12:26 PM, Nux!wrote: To be honest Freenode is nice and I'd be sad to see it replaced with anything. So cool to be a "/join #project" away from getting help. IRC is a problem for those of us behind government/corporate firewalls. IRC is perceived as a hacker haven and is usually blocked. I seem to recall some web-based IRC clients existing. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] humor (was Re: OT: systemd Poll)
On 04/12/2017 05:59 AM, Leroy Tennison wrote: Why don't we discuss something ***less*** controversial, like politics or religion? Even when I'm the one complaining (and I don't about systemd), I'm always reminded of some TV clip I saw when I was young and can't place of a bunch of old people complaining : "Well we've never done it that way before" ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Enterprise Linux Slack
On 04/12/2017 05:28 AM, Alice Wonder wrote: On 04/12/2017 05:23 AM, Andrew Holway wrote: Hallo, Considering the relative decline of IRC (sorry folks) I have set up a Slack for Enterprise Linux. I've been using "pythondev.slack.com" and honestly, its a fantastic tool for community support with really nice features for computer centric discussion. https://enterpriselinux.slack.com/shared_invite/MTY4MTM5NjQ2NTc5LTE0OTE5OTkyNTctMjkyNGU1NWQzOA My hope is that those running Rhel and Centos can have a common place to flame war about SystemD, what to do when FreeIPA replication breaks and how to give your network interfaces sensible names without having to use a pastebin. Thoughts? Experiances? Well it claims to have sent me an e-mail but so far it hasn't. Might be: Apr 12 12:29:23 li796-67 postfix/smtpd[942]: warning: hostname ddit888.net does not resolve to address 211.72.214.34: Name or service not known Apr 12 12:29:23 li796-67 postfix/smtpd[942]: connect from unknown[211.72.214.34] Apr 12 12:29:25 li796-67 postfix/smtpd[942]: disconnect from unknown[211.72.214.34] Not sure, it connected and then disconnected at the right time but no message. All other maillog entries at the right time are accounted for. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Enterprise Linux Slack
On 04/12/2017 05:23 AM, Andrew Holway wrote: Hallo, Considering the relative decline of IRC (sorry folks) I have set up a Slack for Enterprise Linux. I've been using "pythondev.slack.com" and honestly, its a fantastic tool for community support with really nice features for computer centric discussion. https://enterpriselinux.slack.com/shared_invite/MTY4MTM5NjQ2NTc5LTE0OTE5OTkyNTctMjkyNGU1NWQzOA My hope is that those running Rhel and Centos can have a common place to flame war about SystemD, what to do when FreeIPA replication breaks and how to give your network interfaces sensible names without having to use a pastebin. Thoughts? Experiances? Well it claims to have sent me an e-mail but so far it hasn't. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Network Manager / CentOS 7 / local unbound
I think configuring NetworkManager not to touch it is the right solution. Unless there are cases where NetworkManager ignores its configuration but I haven't seen those. A fancier solution might be to have some kind of systemd script that rewrites it if and only if the unbound daemon has successfully started and I thought about looking in to doing that, but that means if the unbound daemon for some reason doesn't start, it would be using the less secure ISP provided DNS resolution and I'd rather have it fail so I know there's a problem and can investigate. On 04/12/2017 02:02 AM, Nux! wrote: OR just make the file immutable if it's so critical to you. -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro - Original Message - From: "Jon LaBadie" <j...@labadie.us> To: "CentOS mailing list" <centos@centos.org> Sent: Wednesday, 12 April, 2017 07:16:22 Subject: Re: [CentOS] Network Manager / CentOS 7 / local unbound On Tue, Apr 11, 2017 at 01:40:21AM -0700, Alice Wonder wrote: Hello list - http://unix.stackexchange.com/questions/90035/how-to-set-dns-resolver-in-fedora-using-network-manager That says it works for CentOS 5 and I *suspect* the methods there (3 listed) would work, but what is the best way with NetworkManager to set it up to use the localhost for DNS ? I'm paranoid about DNS spoofing and really prefer to have a local instance of DNSSEC enforcing unbound running on my CentOS 7 virtual machines (e.g. linode) Currently I just use a cron job that runs once a minute to over-write was it is /etc/resolv.conf so they don't use the DHCP assigned nameservers, but that does leave a short window every time the network is restarted. Besides the suggested configs, if still worried you could set up an inotify watch on /etc/resolv.conf to let you know, or take action, whenever it changes. jon -- Jon H. LaBadie j...@jgcomp.com 11226 South Shore Rd. (703) 787-0688 (H) Reston, VA 20190 (703) 935-6720 (C) ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] connection state tracking with DNS [was Primary DNS...]
Hi, I would like to see this addressed. I found more information on the issue at https://kb.isc.org/article/AA-01183/0/Linux-connection-tracking-and-DNS.html Is there a firewalld solution to this issue? On 04/11/2017 11:05 AM, Chris Adams wrote: One additional DNS server note: you should disable firewalld for any DNS server, caching or authoritative. If you need firewalling, use straight iptables. The reason is that firewalld always enables connection state tracking (at least as far as I can tell), and that should never be used in front of a DNS server. A public authoritative server or any caching server can get a high rate of requests, and having the kernel firewalling trying to track connection states is a bottleneck (one that will be reached before DNS software's limits). If you must firewall a DNS server, use straight iptables and do not use connection state tracking. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: systemd Poll
On 04/11/2017 10:36 AM, Gordon Messmer wrote: On 04/11/2017 10:16 AM, Nicolas Kovacs wrote: I just read through this thread, and I must say I'm a bit worried, to the point that I'm asking myself: is CentOS still as reliable as it was? Yes. I've been very happy with release 7 across hundreds of servers and dozens of configurations. Ditto that. CentOS 7 has been an amazing release for me. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Primary DNS server with BIND on a public machine running CentOS 7
If you are looking for a recursive resolver, I would highly recommend unbound. If you are looking for an authoritative DNS server, I would highly recommend NSD. I run both and find both extremely easy to configure and maintain. Both are available from the EPEL repositories. I stopped using bind years ago and never looked back. On 04/11/2017 10:05 AM, Nicolas Kovacs wrote: Hi, I just installed CentOS 7 on a public server. I'd like to setup BIND as a primary DNS server for a few domains. Until now, all my public machines were running Slackware Linux, and setting up BIND on a Slackware machine is relatively easy. In its out of the box configuration, it has a bone-headed caching nameserver role, which is quite easy to expand to a primary nameserver. Here's my documentation. It's in French, but the *nix bits are universal. http://blog.microlinux.fr/bind-slackware/ On my server running CentOS, I notice things are more complicated in the default configuration. The problem here is not so much documentation, but more like the wealth of information on the subject of BIND on CentOS, with often contradicting information. Is there a *reliable* more or less quick & dirty tutorial on how to get BIND up and running as a primary public nameserver, with the default configuration as a starting point? Think "recipe for pasta" and not "degree in food chemistry". :o) Cheers, Niki ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: systemd Poll
On 04/11/2017 05:39 AM, Alice Wonder wrote: On 04/11/2017 05:30 AM, Jonathan Billings wrote: On Tue, Apr 11, 2017 at 08:09:01AM -0400, Pete Orrall wrote: And *why* random NIC names? Quick, you've got servers from 5 manufacturers, of different ages... what's the NIC going to be called? Do names like enp5s0 offer any convenience to *anyone* not a hardware engineer? As someone else had stated, it's not related to SystemD but Fedora/RHEL has changed the way they handle some things. NICs, for instance, are no longer named after the device number (eth0, eth1, eth2, etc.) but after the *driver* name. Yes, it's a change but it also makes sense. IIRC this is how FreeBSD handles NIC names. It's true that FreeBSD names their network interfaces after the driver. But the consistent device naming in Linux comes from slot index numbers, physical location and even the MAC (if so configured), and not what driver it uses. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/ch-Consistent_Network_Device_Naming.html#sec-Naming_Schemes_Hierarchy Okay that makes sense. eno1: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 ether 0c:c4:7a:c8:a5:4c txqueuelen 1000 (Ethernet) eno2: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 ether 0c:c4:7a:c8:a5:4d txqueuelen 1000 (Ethernet) Those two are my onboard nic, Intel - Scheme 1 enp10s0f0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 ether 00:1b:21:94:72:37 txqueuelen 1000 (Ethernet) enp10s0f1: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 ether 00:1b:21:94:72:36 txqueuelen 1000 (Ethernet) enp9s0f0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 ether 00:1b:21:94:72:35 txqueuelen 1000 (Ethernet) enp9s0f1: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 Those four are on a PCI-E card, Intel - Scheme 3 05:00.0 Ethernet controller: Intel Corporation I210 Gigabit Network Connection (rev 03) 06:00.0 Ethernet controller: Intel Corporation I210 Gigabit Network Connection (rev 03) 09:00.0 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet Controller (Copper) (rev 06) 09:00.1 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet Controller (Copper) (rev 06) 0a:00.0 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet Controller (Copper) (rev 06) 0a:00.1 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet Controller (Copper) (rev 06) Anyway thanks for that link. er, I meant to add that the 09: seems to correspond with the enp9s* and the 0a: seems to correspond with the enp10s* ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: systemd Poll
On 04/11/2017 05:30 AM, Jonathan Billings wrote: On Tue, Apr 11, 2017 at 08:09:01AM -0400, Pete Orrall wrote: And *why* random NIC names? Quick, you've got servers from 5 manufacturers, of different ages... what's the NIC going to be called? Do names like enp5s0 offer any convenience to *anyone* not a hardware engineer? As someone else had stated, it's not related to SystemD but Fedora/RHEL has changed the way they handle some things. NICs, for instance, are no longer named after the device number (eth0, eth1, eth2, etc.) but after the *driver* name. Yes, it's a change but it also makes sense. IIRC this is how FreeBSD handles NIC names. It's true that FreeBSD names their network interfaces after the driver. But the consistent device naming in Linux comes from slot index numbers, physical location and even the MAC (if so configured), and not what driver it uses. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/ch-Consistent_Network_Device_Naming.html#sec-Naming_Schemes_Hierarchy Okay that makes sense. eno1: flags=4099mtu 1500 ether 0c:c4:7a:c8:a5:4c txqueuelen 1000 (Ethernet) eno2: flags=4099 mtu 1500 ether 0c:c4:7a:c8:a5:4d txqueuelen 1000 (Ethernet) Those two are my onboard nic, Intel - Scheme 1 enp10s0f0: flags=4099 mtu 1500 ether 00:1b:21:94:72:37 txqueuelen 1000 (Ethernet) enp10s0f1: flags=4099 mtu 1500 ether 00:1b:21:94:72:36 txqueuelen 1000 (Ethernet) enp9s0f0: flags=4099 mtu 1500 ether 00:1b:21:94:72:35 txqueuelen 1000 (Ethernet) enp9s0f1: flags=4099 mtu 1500 Those four are on a PCI-E card, Intel - Scheme 3 05:00.0 Ethernet controller: Intel Corporation I210 Gigabit Network Connection (rev 03) 06:00.0 Ethernet controller: Intel Corporation I210 Gigabit Network Connection (rev 03) 09:00.0 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet Controller (Copper) (rev 06) 09:00.1 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet Controller (Copper) (rev 06) 0a:00.0 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet Controller (Copper) (rev 06) 0a:00.1 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet Controller (Copper) (rev 06) Anyway thanks for that link. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Network Manager / CentOS 7 / local unbound
From the man page that does tell it not to mess with /etc/resolv.conf - thank you. That will work. On 04/11/2017 02:21 AM, anax wrote: Hi Alice man NetworkManager.conf in /etc/NetworkManager/NetworkManager.conf dns=none *snip* ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Network Manager / CentOS 7 / local unbound
Hello list - http://unix.stackexchange.com/questions/90035/how-to-set-dns-resolver-in-fedora-using-network-manager That says it works for CentOS 5 and I *suspect* the methods there (3 listed) would work, but what is the best way with NetworkManager to set it up to use the localhost for DNS ? I'm paranoid about DNS spoofing and really prefer to have a local instance of DNSSEC enforcing unbound running on my CentOS 7 virtual machines (e.g. linode) Currently I just use a cron job that runs once a minute to over-write was it is /etc/resolv.conf so they don't use the DHCP assigned nameservers, but that does leave a short window every time the network is restarted. I'd like to know the proper way to set up Network Manager to just create nameserver 127.0.0.1 nameserver ::1 in /etc/resolv.conf Via google, it seems every distro approaches it differently and most instructions I have seen involve a GUI. I did not see how to do it in the CentOS documentation but it might be there and I just did not figure out how to search it for what I wanted. Those stackexchange methods look like they might work but they reference CentOS 5 and I know some NetworkManager stuff changed even just between 7.2 and 7.3 as I experienced incorrect IPv6 address after update as a result of those changes. Is there an "official" way to tell NetworkManager what I want in /etc/resolv.conf ? Or better yet, a way to just tell it to leave that file alone? ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] OT: systemd Poll
On 04/08/2017 09:39 PM, Anthony K wrote: According to "Arthur Schopenhauer": "All truth passes through three stages. First, it is ridiculed. Second, it is violently opposed. Third, it is accepted as being self-evident." I must admit that I skipped through the first and second stages - I never found creating init scripts a joy and instead opted to write my own scripts that I launched via inittab. As such, I welcomed the simplicity systemd's service files without fuss. So, at which stage are you in w/ regards to adopting systemd? Are you still ridiculing it, violently opposed to it, or have you mellowed to it? I am using systemd, don't really have a problem with it. It was different at first but so far I manage to have adjusted. It's different. For better or worse I can't say, but I can do what I need to do with it. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Withdraw - Re: Roundcubemail 1.1.8 possible bug?
Leaving it off is a bad recommendation. Many have pointed that out. The problem is that sometimes it results in content being sent after the php sends the content, when there is white space after the closing ?> However the proper thing to do is make sure that you do not have white space after the closing ?> Leaving the ?> off is sloppy coding and a sloppy solution. On 04/05/2017 04:36 PM, Robert Moskowitz wrote: I do not code php, I only use it in things like Roundcubemail, so I was at first surprised that the config file was missing the closing ?> tag. Then I noticed that ALL of the various php config files where missing it. So I did some googling and found out it is actually recommended to leave it off. Humph. On 04/05/2017 12:09 PM, Robert Moskowitz wrote: I am installing Roundcubemail on Centos7-arm roundcubemail-1.1.8-1.el7.noarch The installer web app creates a config.inc.php to save within the /etc/roundcubemail/ directory. It warns that: "Make sure that there are no characters outside the brackets when saving the file." Thing is there is no ?> at the end of this. It is left out. So I got to add that myself. I should be able to just copy the content of the text box, and paste it into a cat > /etc/roundcubemail/config.inc.php, but I am left having to at least having to add the ending ?> ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] M.2 PCI-E card
On 04/03/2017 06:17 PM, Chris Adams wrote: Once upon a time, Alice Wonder <al...@domblogger.net> said: I need a low profile PCI-E card that allows for up to 2 M.2 SSD drives that is known to work with the stock kernel in CentOS 7. Can anyone recommend one? I can't recommend a specific one, but any adapter card should work. However, note that M.2 is not a single "thing" to the computer; the drive interface can be SATA, PCI-E AHCI, or PCI-E NVMe. The first two would look the same as a traditional SATA device to the OS, so should be fine. The third is a different interface; I haven't looked to see if the CentOS 7 kernel supports NVMe (I suspect it does, but you should check before buying an NVMe device). I know that NVMe works fine with recent Fedora. Also note when choosing an adapter; the M.2 slot is keyed different for the different device types, so make sure you get an adapter that matches your device. Thanks! I ordered a 2.5" SATA drive and they screwed up and sent me M.2 - I'll be sure to look at the booklet (Intel SSD 5 but there may be more than one variant?) ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] M.2 PCI-E card
Hello list, My instinct says the vast majority will "just work" but I'll ask anyway. I need a low profile PCI-E card that allows for up to 2 M.2 SSD drives that is known to work with the stock kernel in CentOS 7. Can anyone recommend one? Thanks ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Sendmail is considered deprecated
On 03/31/2017 02:57 PM, Valeri Galtsev wrote: On Fri, March 31, 2017 4:46 pm, Alice Wonder wrote: On 03/31/2017 02:40 PM, Kenneth Porter wrote: On 3/31/2017 2:15 PM, Valeri Galtsev wrote: Well, it sounds like you are one of the companies with whose effort I have to fight constantly in my own effort to protect our users from spam... What makes Postfix superior in fighting spam? I actually made two independent statements: 1. That I use postfix forever (postfix was written by Wietse Venema with security in mind). 2. That the company the OP works for judging from my reading of OP's post makes money by facilitating the creation of spam (by their customers). By no means I meant to say posfix is superior to sendmail in fighting spam. Neither of them is designed for fighting spam, each of them is merely MTA. Postfix, however, having human readable configs with rather logical logics makes it easier (for me) to administer, therefore easier (for me again) to integrate with anti-spam components (amavisd, spamassassin, clamav - the last to scan for viruses - or rather virii I should say as that is plural of latin word ;-) Just my $0.02. Valeri That's pretty much why I started using postfix, I don't remember when but I believe it was with Red Hat 7 (pre Fedora days). It was much easier for me to configure postfix on a web application server and have it send encrypted to their MX then it was to configure sendmail. It was possible with sendmail but I wasted hours trying to get sendmail configured, first time with postfix was cake. Now I use it because of the support for opportunistic DANE (I run an updated version, built from CentOS src.rpm but with version bump) so that when the receiving MX has DNSSEC with a TLSA record on port 25, I know the message is either delivered to that MX encrypted or not at all. The attack that strips the STARTTLS causing plain text won't work when the receiving MX is configured with DANE. Right now comcast is the only major ISP in the united states that has MX servers configured with DANE, but several small ones do as well, and several in Europe are as well (especially .nl and .de mail servers) I don't know if sendmail has been updated to support DANE yet or not, but last time I looked, it did not. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Sendmail is considered deprecated
On 03/31/2017 02:40 PM, Kenneth Porter wrote: On 3/31/2017 2:15 PM, Valeri Galtsev wrote: Well, it sounds like you are one of the companies with whose effort I have to fight constantly in my own effort to protect our users from spam... What makes Postfix superior in fighting spam? How do I integrate MIMEDefang, SpamAssassin, and ClamAV with Postfix? Are there migration guides for moving one's Sendmail anti-spam and AV configurations to Postfix? --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos I don't know about MIMEDefang but SpamAssassin and ClamAV are pretty straight forward. There are guides for both with Postfix all over the net. MIMEDefang I have not heard of, but unless it does something really funky I suspect it also is easy to set up with Postfix. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Sendmail is considered deprecated
On 03/31/2017 01:57 PM, Xinhuan Zheng wrote: Hello, Today I searched redhat official portal and learned that Sendmail is considered deprecated. By default, CentOS 7 will use postfix as MTA. I need good advise on what it means to us. We are CentOS customers. We use that operating system for quite a few years. We rely on Sendmail for years for us to relay large quantity of emails to our customers for marketing purpose. We build our additional fallback servers as well for fallback relays. We build our customized configuration for Sendmail too. I really need help to figure out if we can continue using Sendmail (even deprecated) for future long term and what implication would be doing so. Thanks, - xinhuan ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos You can still install sendmail, but postfix is the default, a decision I personally support as I have found it to be a lot easier to administer than sendmail with a much better security track record. Historically, you would use system-switch-mail to select your preferred MTA to switch from the default. I don't know if that is still the method, since the default now is what I prefer. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] sound problems... config?
On 03/29/2017 04:05 AM, ken wrote: On 03/28/2017 11:40 PM, Alice Wonder wrote: On 03/28/2017 05:53 PM, ken wrote: The www has failed me with this, so I'm trying you guys. Sound worked great out of the box when I installed 7.2... Yay! I could watch all kinds of videos, like on facebook and youtube. And I could listen to most podcasts too. But then something happened. It was either a kernel upgrade or that I installed vlc (for watching videos on DVD) and the whole stack of codecs for it... I don't know exactly when, but at some point I no longer had sound with youtube and other web videos. The videos played fine, just no sound. Note that using vlc, both video and the audio with it play just fine. I need to select the audio driver (from a list in a vlc menu), however, else the sound won't work in vlc either. If I go into the Applications menu, then System Tools -> Settings -> Sound, under "Choose a device for sound output:" there are no devices listed. There used to be. If I run "aplayer file.wav", nothing plays (no sound at all) and I get the error "main:786: audio open error: No such file or directory". If, on the other hand, I run "aplay file.wav -D plughw:0" (i.e., specify the/a device), I do get sound, the file does play. I ran alsa-info.sh and it posted tons of info from it on my setup at http://www.alsa-project.org/db/?f=1dba91886be054df4816000768a0f5b109947a48. Yet it still doesn't tell me what's missing. Anyone here have an idea...? or thoughts about where to look next? tia, ken I have similar issue with USB headphones. Worked fine in 7.2 but in 7.3 I frequently have to unplug and plug them back in before it finally is able to be selected from the menus as my output. Once it is selected, it stays selected until next reboot. Alice, Thanks for your reply. I believe you and I are looking at two separate problems. My system is capable of switching between the onboard speakers and the headphones with no problem at all (when the sound is working at all). That is, when there's sound out of the onboards, I can plug in the headphones and sound instantly comes out of them, and vice versa... even in the middle of one and the same video. In your case the problem may have more to do with USB. USB is notoriously slow... at least it used to be. This is due to timing, i.e., after loading the USB sub-system, the system has to query the USB device to find out what it is (e.g., mouse, joystick, headphones, touchpad, etc.) and there are a bazillion different kinds of USB devices... a long list of things to query. Not only that, but a single query takes time: the system has to give the device time to respond-- it used to be a second or two. And there are ever more USB devices. Maybe too your headphones are near the bottom of the long list of USB devices. I don't know that this is your situation. It could be something else (a half dozen other hang-ups). But you might want to test by plugging in your USB headphones and then leaving the plug in, waiting a couple minutes to see if they start to work. Alice, could you please post the output of these three commands (for comparison purposes): uname -r ps -ef|grep -i alsa aplayer -L Thanks. [alice@localhost ~]$ uname -r 3.10.0-514.6.2.el7.x86_64 [alice@localhost ~]$ ps -ef |grep -i alsa root 858 1 0 Feb27 ?00:00:00 /usr/sbin/alsactl -s -n 19 -c -E ALSA_CONFIG_PATH=/etc/alsa/alsactl.conf --initfile=/lib/alsa/init/00main rdaemon alice29238 29155 0 09:03 pts/19 00:00:00 grep --color=auto -i alsa [alice@localhost ~]$ aplayer -L bash: aplayer: command not found... [alice@localhost ~]$ -=- Intel xeon on supermicro board No onboard sound but unfortunately the video card has Intel HD audio associated with the HDMI out that for some reason the system always defaults to after boot even though there is no audio out on the video card (nvidia card) other than the HDMI which I only use for video. I had blacklisted the Intel HD and that worked under CentOS 7.2 but I couldn't USB audio to work in 7.3 until I removed the blacklisted Intel HD driver, but I'm not sure if that was cause and effect or coincidence. I really wish USB sound would "just work" and that the sound preferences would remember I prefer USB after a reboot. Linux use to be better about that sort of thing. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] sound problems... config?
On 03/28/2017 05:53 PM, ken wrote: The www has failed me with this, so I'm trying you guys. Sound worked great out of the box when I installed 7.2... Yay! I could watch all kinds of videos, like on facebook and youtube. And I could listen to most podcasts too. But then something happened. It was either a kernel upgrade or that I installed vlc (for watching videos on DVD) and the whole stack of codecs for it... I don't know exactly when, but at some point I no longer had sound with youtube and other web videos. The videos played fine, just no sound. Note that using vlc, both video and the audio with it play just fine. I need to select the audio driver (from a list in a vlc menu), however, else the sound won't work in vlc either. If I go into the Applications menu, then System Tools -> Settings -> Sound, under "Choose a device for sound output:" there are no devices listed. There used to be. If I run "aplayer file.wav", nothing plays (no sound at all) and I get the error "main:786: audio open error: No such file or directory". If, on the other hand, I run "aplay file.wav -D plughw:0" (i.e., specify the/a device), I do get sound, the file does play. I ran alsa-info.sh and it posted tons of info from it on my setup at http://www.alsa-project.org/db/?f=1dba91886be054df4816000768a0f5b109947a48. Yet it still doesn't tell me what's missing. Anyone here have an idea...? or thoughts about where to look next? tia, ken I have similar issue with USB headphones. Worked fine in 7.2 but in 7.3 I frequently have to unplug and plug them back in before it finally is able to be selected from the menus as my output. Once it is selected, it stays selected until next reboot. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] qmail package for CentOS 7
On 03/14/2017 12:53 AM, Rajmohan Banavi wrote: Is there any package available for qmail? I am having hard time finding it. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos I doubt it, qmail is quite deprecated and does not support any modern TLS capabilities without a ton of community provided patches. I doubt even with community supported patches that it will ever support RFC 7672 which is important (it takes the "opportunistic" out of opportunistic TLS when both servers implement it, preventing protocol downgrade attacks that now are as easy as removing the STARTTLS) ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] From Networkmanager to self managed configuration files
On 03/08/2017 01:57 AM, Giles Coochey wrote: The recommended configuration for EL7 is to use NetworkManager unless you have a very specific edge case preventing you from doing so: The truth is a lot of us run servers that don't need to have their network "managed" by Networkmanager. My experience was very difficult going to 7.2 to 7.3 because of a change in the behavior of NetworkManager with respect to IPv6 but once I had it figured out (thanks to people on this list) it worked out quite well and I kept NetworkManager. But I certainly understand why some don't want to do that. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos