Upgraded to fc7, but sendmail submission with TLS no longer works
by Philip Prindeville
I'm running fc7 (updated). I updated via yum from fc6.
Oddly, Cyrus continued to work after the upgrade (it usually breaks).
This time it was sendmail that broke, even though I'm running with a
fairly stock system.
The extent of my sendmail.mc edits are below.
I get messages from sendmail saying that my client (Thunderbird on
Windows Vista and FC7), well:
Sep 29 19:21:59 mail sendmail[5288]: STARTTLS=server, relay=pvr.redfish-solutions.com [192.168.1.8], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
Sep 29 19:22:23 mail sendmail[5288]: l8U1LxLB005288: pvr.redfish-solutions.com [192.168.1.8]: possible SMTP attack: command=AUTH, count=4
Sep 29 19:22:30 mail sendmail[5288]: l8U1LxLB005288: pvr.redfish-solutions.com [192.168.1.8] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-v4
Sep 29 19:23:05 mail sendmail[5295]: STARTTLS=server, relay=pvr.redfish-solutions.com [192.168.1.8], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256
but if I turn off TLS, it seems to work ok (using username/password authentication in the clear, I guess).
Since it's TLS, I couldn't use tcpdump to read the transactions...
Here are the sendmail.mc edits. Nothing too weird:
--- sendmail.mc.orig 2006-09-05 07:27:48.000000000 -0600
+++ sendmail.mc 2007-03-08 21:26:38.000000000 -0700
@@ -41,7 +41,7 @@
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
-dnl define(`confAUTH_OPTIONS', `A p')dnl
+define(`confAUTH_OPTIONS', `A p')dnl
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
@@ -49,18 +49,18 @@
dnl # guaranteed secure.
dnl # Please remember that saslauthd needs to be running for AUTH.
dnl #
-dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
-dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
+TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
+define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl # cd /usr/share/ssl/certs; make sendmail.pem
dnl # Complete usage:
dnl # make -C /usr/share/ssl/certs usage
dnl #
-dnl define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
-dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
-dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
-dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
+define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
+define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
+define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
+define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
dnl #
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
dnl # slapd, which requires the file to be readble by group ldap
@@ -71,8 +71,10 @@
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
+dnl # don't apply domain search suffixes...
+define(`confBIND_OPTS', `+AAONLY -DNSRCH -DEFNAMES')dnl
define(`confTO_IDENT', `0')dnl
-dnl FEATURE(delay_checks)dnl
+FEATURE(delay_checks)dnl
FEATURE(`no_default_msa', `dnl')dnl
FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
@@ -100,27 +102,35 @@
FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
+dnl # Anti-spam features suggested from ACME.COM
+FEATURE(`greet_pause', `5000')dnl
+define(`confCONNECTION_RATE_WINDOW_SIZE', `60s')dnl
+FEATURE(`conncontrol')dnl
+FEATURE(`ratecontrol', `nodelay', `terminate')dnl
+define(`confBAD_RCPT_THROTTLE', `3')dnl
+define(`confMAX_RCPTS_PER_MESSAGE', `10')dnl
+define(`confMAX_DAEMON_CHILDREN', `5')dnl
EXPOSED_USER(`root')dnl
dnl #
dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery uncomment
dnl # the following 2 definitions and activate below in the MAILER section the
dnl # cyrusv2 mailer.
dnl #
-dnl define(`confLOCAL_MAILER', `cyrusv2')dnl
-dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl
+define(`confLOCAL_MAILER', `cyrusv2')dnl
+define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
-DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
+dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.
dnl #
-dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
+DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
@@ -141,18 +151,20 @@
dnl # enable both ipv6 and ipv4 in sendmail:
dnl #
dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6')
+DAEMON_OPTIONS(`Name=MTA-v4, Family=inet')
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl #
-FEATURE(`accept_unresolvable_domains')dnl
+dnl FEATURE(`accept_unresolvable_domains')dnl
dnl #
dnl FEATURE(`relay_based_on_MX')dnl
dnl #
dnl # Also accept email sent to "localhost.localdomain" as local email.
dnl #
LOCAL_DOMAIN(`localhost.localdomain')dnl
+INPUT_MAIL_FILTER(`mimdefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:1m;R:1m;E:5m')
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
@@ -173,4 +185,4 @@
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
-dnl MAILER(cyrusv2)dnl
+MAILER(cyrusv2)dnl
Anyone seen anything similar to this?
16 years, 6 months
FC6 Issue with Cups after update
by Wade Hampton
I just did a yum update on my son's computer. Now the cups daemon
won't start. Running /sbin/service cups start results in:
Unable to read configuration file '/etc/cups/cupsd.conf' - exiting!
I checked the permissions and they are root, lp 644.
If I run the same code as in the /etc/init.d/cups script, it starts
and works fine:
su
. /etc/init.d/functions
DAEMON=cupsd
prog=cups
echo -n $"Starting $prog: "
daemon $DAEMON
RETVAL=$?
[ $RETVAL = 0 ] && touch /var/lock/subsys/cups
Using su, I tested and user lp can read the cupsd.conf file.
Any ideas?
--
Wade Hampton
16 years, 6 months
strange ssh performance issues
by Kevin Kempter
Hi List;
First let me say that (1) I have a fairly unusual (I suspect) ssh setup, and
(2) I hate the virus known as windows
Here's the deal;
The client I'm working for uses a SonicWall firewall to control access to the
data centers. Unfortunately there are issues with the Linux openVPN clients
(specifically open swan) where it connects but locks all other connections
out of the firewall. So, until we figure this out the solution is to use the
windows version of the SonicWall client. I've installed vmware and installed
a copy of VirusXP (AKA Windows XP). I installed cygwin and followed the
instructions here to install the ssh server:
( http://pigtail.net/LRP/printsrv/cygwin-sshd.html ) although I did not run
the mkpasswd and mkgroup commands, they seemed to break the install of ssh
server.
Anyway, I also setup an ssh key so I could login to the M of VirusXP without a
password.
Next I setup a config file in my Linux $HOME/.ssh dir with many entries like
this (one for each host in the data ceners that I need to connect to):
Host dataCenterHostname
Hostname 10.1.x.x # data center I.P.
HostKeyAlias 10.1.x.x # data center I.P.
ProxyCommand /usr/local/bin/netcat-proxy-command 172.16.128.128 %h
The 172.16.128.128 I.P. addr is the I.P. of the VirusXP image within vmware
via nat. (I could not make the ssh connections work via bridged networking).
The /usr/local/bin/netcat-proxy-command script is a netcat (nc) script and
contains this:
#!/bin/sh
gateway=$1
internal=$2
ssh $gateway nc -w 1 $internal 22
To use this setup I boot up VirusXP, open the SonicWall VPN client and connect
to one or more of the data centers. Then in Fedora 7 (the host OS) I open a
terminal and run this:
ssh dataCenterHostname
so, to my issue. Most of the time this setup works fairly well, in that it
does connect. It usually takes about 30 seconds for me to get a password
prompt for the target data center host. This is acceptable but I think
there's something weird going on that delay's the connection. I say this
because I can open a cygwin windowin VirusXP and do an ssh <I.P.> and I get a
password prompt immediately.
The main issue is that several times a day the connections start to take
several minutes to return the password prompt. I need to restart the cygwin
service in VirusXP, and sometimes that doesn't help so I reboot the VM
instance of VirusXP. This is quite frustrating, however I'm a DBA and have
limited networking knowledge. Does anyone have any thoughts?, suggestions?,
comments?
Thanks in advance..
16 years, 6 months
Help: very slow software RAID 5.
by Dean S. Messing
I'm not getting nearly the read speed I expected
from a newly defined software RAID 5 array
across three disk partitions (on the 3 drives,
of course!).
Would someone kindly point me straight?
After defining the RAID 5 I did `hdparm -t /dev/md0'
and got the abysmal read speed of ~65MB/sec.
The individual device speeds are ~55, ~71,
and ~75 MB/sec.
Shouldn't this array be running (at the slowest)
at about 55+71 = 126 MB/sec? I defined a RAID0
on the ~55 and ~71 partitions and got
about 128 MB/sec.
Shouldn't adding a 3rd (faster!) drive into the
array make the RAID 5 speed at least this fast?
Here are the details of my setup:
# fdisk -l /dev/sda
Disk /dev/sda: 160.0 GB, 160000000000 bytes
255 heads, 63 sectors/track, 19452 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/sda1 1 127 1020096 82 Linux swap / Solaris
/dev/sda2 * 128 143 128520 83 Linux
/dev/sda3 144 19452 155099542+ fd Linux raid autodetect
# fdisk -l /dev/sdb
Disk /dev/sdb: 160.0 GB, 160000000000 bytes
255 heads, 63 sectors/track, 19452 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/sdb1 * 1 127 1020096 82 Linux swap / Solaris
/dev/sdb2 128 143 128520 83 Linux
/dev/sdb3 144 19452 155099542+ fd Linux raid autodetect
# fdisk -l /dev/sdc
Disk /dev/sdc: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/sdc1 * 1 127 1020096 82 Linux swap / Solaris
/dev/sdc2 128 19436 155099542+ fd Linux raid autodetect
/dev/sdc3 19437 60801 332264362+ 8e Linux LVM
The RAID 5 consists of sda3, sdb3, and sdc2.
These partitions have these individual read speeds:
# hdparm -t /dev/sda3 /dev/sdb3 /dev/sdc2
/dev/sda3:
Timing buffered disk reads: 168 MB in 3.03 seconds = 55.39 MB/sec
/dev/sdb3:
Timing buffered disk reads: 216 MB in 3.03 seconds = 71.35 MB/sec
/dev/sdc2:
Timing buffered disk reads: 228 MB in 3.02 seconds = 75.49 MB/sec
After defining RAID 5 with:
mdadm --create --verbose /dev/md0 --level=5 --raid-devices=3 /dev/sda3 /dev/sdb3 /dev/sdc2
and waiting the 50 minutes for /proc/mdstat to show it was finished,
I did `hdparm -t /dev/md0' and got ~65MB/sec.
Dean
16 years, 6 months
Gnome panel lost most icons...AGAIN
by Frode Petersen
This is a recurring problem, but the intervals are relatively long. This
time it's about a month since the last time I experienced it. Sometimes
it takes longer for it to show up again.
I use a single panel on the right side of the screen, have applets,
icons and drawers on it. This time I removed the Tomboy icon from the
panel. An error message appeared telling me that there was some error
with the configuration files, and that the panel may not display
correctly. Most of the icons disappeared, including all drawers.
In gnome-config section /apps/panel/toplevels all entries for the
drawers are still present, but in section /apps/panel/objects they are
gone.
I've found bug reports about something similar, so I'll try and see if
it helps to go that route, though it seems to be an old problem.
My question here is: Is there a way that I can make a backup of the
working setup and bring it back if this happens again?
Frode Petersen
List of objects involved (I don't know if this helps any, but..)
The objects that remained were: clock, workspace switcher, PanelFM,
Window list, Notification area, NetworkManager icon, System monitor CPU
frequency monitor and volume control.
The ones that disappeared were: Main menu, 8 drawers with quite a few
icons in them, terminal, lock screen.
16 years, 6 months
Formatting CDs
by Aaron Konstam
It has been stated that you can format CD-RW using cdrecord or k3b.
I can't find that option in either program. k3b can format DVD-RW and
DVD+RW but not CDs as far as I can see.
Could someone explain how to do it
--
=======================================================================
If you're crossing the nation in a covered wagon, it's better to have
four strong oxen than 100 chickens. Chickens are OK but we can't make
them work together yet. -- Ross Bott, Pyramid U.S., on multiprocessors
at AUUGM '89.
=======================================================================
Aaron Konstam telephone: (210) 656-0355 e-mail: akonstam(a)sbcglobal.net
16 years, 6 months
Sound problem
by david walcroft
I cannot get my Sonicvibes card to work in FC7,I think it has something
to do
with my modprobe.conf,does anyone know what lines should be installed.
Thanks david
16 years, 6 months
Internet traffic and Azureus -
by Bob Goodwin
Can someone tell me hos Azureus on a Windows computer on my LAN might
affect the amount of data downloaded via my ISP?
My son-in-law finally admitted that his son had installed Azureus on his
computer while visiting a couple weeks ago. WE have a limited amount of
data allowed by Wildblue, 17 gigs in a 30 day period and it is becoming
a panic situation with less than 2 gigs before we hit the limit and they
take action!
Can Azureus be the cause of the excessive traffic or am I looking in the
wrong place. I closed the bittorrent port in the router months ago and
that should still be closed ...
Presently we have his computer shut down. There's no telling what he's
got on it but my daughter is threatening to put him back on dial-up! I
can see a period of strife on the horizon.
Bob Goodwin Zuni, Virginia
16 years, 6 months
VDQ : merging f7 configs
by Beartooth
On one, but only one, of our F7 machines yum update often pauses with
some such query as this :
Package nss_ldap: merging configuration for file "/etc/ldap.conf":
By default, RPM would keep your local version and rename the new one to /
etc/ldap.conf.rpmnew
What do you want to do ?
- diff the two versions (d)
- do the default RPM action (q)
- install the package's version (i)
- merge interactively with vim (v)
- background this process and examine manually (z)
Your answer ?
My default has usually been q, figuring the hotshots would pick
the safest thing as the default. Is that so? Should I be moving old files
to backups and .rpmnew files to current according to any particular
criteria? Is there any way of doing it in mass that's safe? The things
must be piling up, and in places I have no knowledge of ...
--
Beartooth Staffwright, PhD, Neo-Redneck Linux Convert
Fedora Core 6; CXO 5.0.1; Pine 4.64, Pan 0.119; Privoxy 3.0.3;
Dillo 0.8.6, Galeon 2.0.3, Epiphany 2.16, Opera 9.02, Firefox 1.5
Remember I know precious little of what I am talking about.
16 years, 6 months
convert file.wmv to .wav ?
by Bob Goodwin
Can someone tell me how to convert audio .wmv to .wav, .mp3, or .ogg?
I tried ImageMagick 'convert' but I don't seem to be able to make it
work, perhaps because I don't have the command right? As usual I'm
having trouble with the man page ...
Or there may be a better way to do this. I have an audio file in .wmv
that I would like to compress, it's not very important but I hate to let
it go undone.
Bob Goodwin
16 years, 6 months
