DevHeads.net

Postings by byrnejb

What is Postfix telling me?

Starting shortly after midnight 20180906 our maillog file began to
record this sort of message pair every six minutes or so.

Sep 6 12:36:42 mx31 postgrey[85107]: action=pass, reason=client AWL,
client_name=malton22-1176258451.sdsl.bell.ca,
client_address=70.28.71.147, sender= ... at airportcargo dot ca,
recipient=imports@harte-lyne.ca

Sep 6 12:36:48 mx31 postfix-p25/smtpd[66636]: proxy-reject:
END-OF-MESSAGE: 451 4.5.0 Error in processing, id=29937-07, quar+notif
FAILED: mail_dispatch: no recognized protocol name: -2 at
/usr/local/sbin/amavisd line 9638.; from=< ... at airportcargo dot ca>
to=<imports@h

STARTTLS / DANE difficulties?

We are migrating our Postfix MX services and in the process have
disrupted a setup which has been very stable for the past couple of
years.

FreeBSD-11 (Jail) Saslauthd rimap authentication fails

I seem to have a configuration issue with respect to sender
authentication. On the Postfix-3.3.0 host I can do this:

[root@mx32 ~]# testsaslauthd -u testuser -p testuser-password #
expires 20180703
0: OK "Success."

However, when I try to send an email through this Postfix service from
a remote Squirrelmail instance using that same username and password
it fails saslauth in postfix:

[root@mx32 ~]# grep 'Jul 3 12:57:' /var/log/maillog
. .

What is postfix telling me to do?

I am configuring a new Postfix-3.3.0 service to act as one of our
public MX providers. The address of this new MX service has been
published in our DNS but with a lower precedence (higher priority
number) than our active MX service.

Naturally enough there are countless spam bots regularly hitting the
low priority MX services and so when I activate Postfix for testing we
get numerous opportunistic connections.

Postfix-3.3.0_1 Can't assign requested address

I am setting up a new mail hub in a FreeBSD-11.1 jail.

SENDEr-ACCESS exceptions

The constantcontact.com domain was added to our sender_access file:

constantcontact.com REJECT
.constantcontact.com REJECT

I must have done this but at some distant time in the past as I have
no recollection of doing so.

The situation is that now one of the professional organisations our
firm belongs to sends its newsletter via constantcontact.com. I can
of course simply remove constantcontact.com from the block list.

rsync and cause/source of an empty file

We transfer files from a VAN provider at 15 minute intervals using
rsync over ssh.

sha256sum a dvd

CentOS-6.9

I am trying to verify a locally created dvd. I am using sha256sum in
this fashion:
sha256sum /dev/sr0

Which gave this result:

sha256sum: /dev/sr0: Input/output error

So I tried this:
sha256sum /dev/cdrom

Which, after some time, also produces:

sha256sum: /dev/cdrom: Input/output error

What does this mean and how do I fix it?

Server certificate not verified

We are in the process of configuring a replacement MX off-site server.
The last time I did this was in 2008/09 and so I am a little rusty.
At the moment I see this in my mailq on that host:

However, the source of this problem appears to me to be an invalid
sender so I am wondering just what that error message is telling me
and whether or not it is within my scope to correct whatever is
causing it.

Postfix error message to Postmaster

We continue to receive messages addressed to Postmaster from our MX
host. All appear to be related to a single original transmission.
The issue seems to be some sort of time-out with the Amavis proxy.

KVM guest fails to boot cleanly

I have a KVM vm running CentOS-6.8 on a host also running CentOS-6.8.
This instance is used for occasional development projects which
require segregation. Thus it is seldom accessed.

At some point in the recent past this guest developed an issue with
starting.

postfix-policyd-sf vs. policy-spf + postgrey

I am re-provisioning the host system that lost its HDD last week and
am taking the opportunity to install FreeBSD. This system will host
our off-site MX and DNS services. In the process of installing
postfix-3.1.4 I have run across a package named postfix-policyd-sf.
On cursory inspection this appears to be a drop in replacement for
both postgrey and policyd-spf.

As policyd-spf does not appear to be provided via the FreeBSD ports
collection I am contemplating using postfix-policyd-sf instead as this
is provided as a binary package.

Centos-6.8 fsck and lvms

I have a CentOS-6.8 system which has a suspected HHD failure. I have
booted it into rescue mode from a CentOS-6.5 minimal install CD in
order to run fsck -c on it. The system hosts several vms. I have
activated the lvs associated with these vm using pvscan -s ; vgscan ;
vgchange -ay. An lvscan shows the lvs as ACTIVE. None are mounted.

When I try to run fsck on any of them I see the following error:

fsck from util-linux-ng.2.17.2
e2fsck 1.41.12.(17-May-2010)
fsck.ext2: No such file or directory while trying to open /dev/vg. .

policyd-spf and temperrors

OS=CentOS-6.8 (Linux)

postconf -d | grep mail_version # version
mail_version = 2.11.1
milter_macro_v = $mail_name $mail_version

We are currently experiencing an outage at a remote site that happens
to provide two of our four DNS services.

Processing Conflict: speexdsp-1.2-0.9.rc3.el6.x86_64

Processing Conflict: speexdsp-1.2-0.9.rc3.el6.x86_64 conflicts speex
<= 1.2-0.21.rc1

I am loath to replace things on my primary workstation as I have far
too much to do as it is without dealing with self-inflicted injuries.
However, I do use Jitsi as a softphone and the latest version has a
dependency on a package in EPEL which replaces something from the base
distro.

Can someone inform me of what issues, if any, would replacing speex
with speexdsp likely cause? I have a lot of packages that depend upon
speex.

CentOS-6.8 fsck report Maximal Count

We have a remote warm standby system running CentOS-6.8 as a KVM
system with multiple guests. One of the guests began reporting an
error when running aide.

Caught SIGBUS/SEGV while mmapping. File was truncated while aide was
running?
Caught SIGBUS/SEGV.

ldns-dane

This is an epel package but I thought that I would ask here first.

CentOS-6.8 PCI Hwdr issue?

I have begun to see these messages in my morning reports:

WARNING: Kernel Errors Present
pciehp 0000:00:1c.0:pcie04: Link Training Error occurs ...: 146
Time(s)
pciehp 0ng Error occurs ...: 1 Time(s)
pcieport 0000:00:1c.0: bridge window [mem 0xd0a000000.0 failed
with error -22 ...: 1 Time(s)
r8168: probe of 0000:01:00.0 failed with error -22 ...: 702 Time(s)
r8168: probe of 0000:01:00.0 failed with erroridge to [bus 01-0

The system is the KVM host for a number of our virtual guest servers.

CentOS6 - Stop NUX Skype auto-start with gnome desktop

How does one configure Skype/Gnome such that one can have Skype
installed but not auto-start when the Gnome desktop opens?

I have looked in the 'System/Preferences/Startup Applications' menu
but Skype is not listed there. There are no options in the
Application itself that allow this setting either.

If there no other way then I will remove the application package and
re-install when I need it. But surely there is a way to control this
behaviour and the problem is that I simply cannot find it.

Thanks.

UDP Constant IP Identification Field Fingerprinting Vulnerability

We received a notice from our pci-dss auditors respecting this:

CVE-2002-0510 The UDP implementation in Linux 2.4.x kernels keeps the
IP Identification field at 0 for all non-fragmented packets, which
could allow remote attackers to determine that a target system is
running Linux.

The NVD entry for which contains this note:

CHANGE> [Cox changed vote from REVIEWING to NOOP]
Cox> So I asked some kernel guys about this - it's not considered
an issue.

On Fri, June 17, 2016 12:31, Valeri Galtsev wrote:

postfix virtual domain walking

We are currently subjected to a persistent penetration attempt that
apparently is directed against our smtp authentication. The user
names employed at the present time are all local address portions of a
single user's virtual domain which have no means of authentication.
So the attack is futile in that sense.

However, the question arises as to how these local delivery addresses
are being harvested? Some of these are used very infrequently and
some of them have not been active for years.

CentOS-6.5 - CD/DVD does not sense media

I dealing with problem 1 - see previous message - I set about creating
a live DVD on my development system. Now I find that I cannot seem to
mount a medium in that drive. wodim --devices reports it as present
and so does cdrecode. I can use the eject utility to toggle the tray
open and closed.

CentOS-6.7 problem updating kernel

We have four identical hardware system.

Re: Postfix error 450 4.7.1 Sender address rejected: Access denied

Can anyone clue me in on what configuration issue might be causing
this and whose configuration it is, mine or theirs?

postfix-p25/smtpd[18149]: NOQUEUE: reject: RCPT from
smout-245174.nsmailserv.com[202.162.245.174]: 450 4.7.1
< ... at lymanworldwide dot com>: Sender address rejected: Access denied;
from=< ... at lymanworldwide dot com> to=<exports@harte-lyne.ca>
proto=ESMTP helo=<smout-245176.nsmailserv.com>

# postconf -n
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon

IPv6 on CentOS-6 - IPTables

It appears likely that within the next two quarters we will be moving
off of our IPv4 class C's and onto a single IPv6 /40 for our sites.

We have a fairly complex IPTables setup which handles our gateways and
internal hosts. My question is just how much effort is involved in
moving these rules from IPv4 to IPv6? Are there elements in one that
are not available in the other? Are there any fundamental
incompatibilites? Does anyone have a good reference to a case history
of moving from one to the other?

Regards,

Interpreting unauthorised relaying

One of our staff had their email account compromised. We have changed
that user's login and password. However I lack experience
interpreting what happened. Would someone take a look at the
following headers and tell me how this was done?

CD-Mount on CentOS-6.7

When I load a blank cd into the optical drive on my CentOS-6.7
workstation I am not getting any window or visible mount action on my
Gnome desktop.

CentOS-6 : DNS resolver for ssh chrooted accounts.

Our firm uses a dedicated virtual host to provide ssh tunnels for
remote employee access to various internal services and for http/s
access to the outside world. For security reasons I would like to
have the remote users forward their dns lookups over the tunnel as
well. However, we recently chrooted a number of ssh users and these
accounts cannot resolve dns queries passed over the tunnel.

I infer from previous experience that the necessary libraries/binaries
are not installed in the chroot home.

SELinux context change on /etc/posfix/main.cf

This morning I received this report of a change to the SELinux context
of /etc/posfix/main.cf on one of our hosts.

from:

system_u:object_r:postfix_etc_t:s0

to:

unconfined_u:object_r:postfix_etc_t:s0

The contents of the file have been verified as unchanged. There was a
yum update applied yesterday to this host and this may be an intended
alteration. However, can anyone confirm this for me? Or, otherwise
explain what has happened?