Hi Eric,

CentOS 8, fresh install
OVH VPS server (ovh.com)

{send,smtp,smtps,submission}: unable to open supervise/ok: file does not exist
{send,smtp,smtps,submission}/log: unable to open supervise/ok: file does not 
exist
systemd service:    clamav-daemon.service:       [  FAILED  ]
systemd service:     clamav-daemon.socket:       [  FAILED  ]
systemd service:                  dovecot:       [  FAILED  ]

CentOS 8 minimal install doesn't include firewalld,
chaining SELINUX command to firewalld command not exiting 0,
makes SELINUX keeps enforcing status (default),
therefore svscan can't create supervise files and directories,
dovecot can't link to servercert.pem…

1- don't chain SELINUX to firewalld:
qt_install_cos8.sh:10
-   echo -n "Reload firewall settings : " && tput setaf 2 && firewall-cmd 
--reload && tput sgr0 && \
+   echo -n "Reload firewall settings : " && tput setaf 2 && firewall-cmd 
--reload && tput sgr0

2- sendmail
sendmail symbolic link is missing
ln -s /var/qmail/bin/sendmail /usr/sbin/sendmail

3- SSL protocols
<https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/considerations_in_adopting_rhel_8/security_considerations-in-adopting-rhel-8#tls-v10-v11_security>
Since SSLv3 and TLSv1.0/1/2 are disabled in CentOS 8, some SMTPs fail to connect
TLS_connect_failed:_error:1425F102:SSL_routines:ssl_choose_client_version:unsupported_protocolZConnected_to_193.252.22.65_but_connection_died._(#4.4.2)/
solution is to relax crypto policies
update-crypto-policies --set LEGACY
then reboot,
or edit only /usr/share/crypto-policies/DEFAULT/opensslcnf.txt
set SECLEVEL=1 (to accept DH 1024 key size)
add ECDHE-RSA-AES256-GCM-SHA384 to Ciphersuites (TLSv1.2 cipher)
then systemctl restart sssd.

4- optional queue utilities
add qmt-plus in install command and/or in qmt-centos8.repo.

Thanks
xaf



---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Reply via email to