Postings by Alice Wonder

read permission on rotated logs

When logs (e.g. /var/log/maillog) are rotated (e.g.

smtp tls policy map MX hostname matching?

Hello list,

I gather from
<a href="" title=""></a> that the
match: directive really only has application to a policy of secure.

If I read right, it applies to the certificate validation.

I'm wondering if there is something similar but applies to MX hosts.

What I'm looking for:

When an MTA-STS policy has a mode of "testing" then certificate
validation should not be done because the RFC says to send it anyway
even if validation fails, so for those domains I want to use a policy of
'encrypt' instead of 'secure' but I also want the policy map to enforce

daemon core dump

I have a daemon I can conistently cause a crash on.

<a href="" title=""></a>

Is that the best way (obviously with debug packages installed) to get
the core dump or is there a better way?

It is NOT a CentOS/EPEL maintained daemon.

DKIM on submission


currently I enable OpenDKIM vi :

# OpenDKIM
smtpd_milters = inet:
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

Since that server is both MX and Submission for the mailbox domain I am
tempted to instead define those parameters via

-o key=value

in for the smtps / submission service.

Is that advisable or is it not a good idea?

I realize it would mean mail sent by the host itself via sendmail
command is not DKIM signed but I'm not really worried about that.

It appears that when e-mail is sent from a user t

Where to buy S/MIME ??

Hi, I'm getting increasingly paranoid.

Something I said on a certain social media site several months ago was
modified - then reported - then by account was banned until I agreed to
delete it.

Obviously since what I said was modified I didn't have any issue with
deleting it but I want more than just DKIM sigs on my e-mail now.

Anyway looking for S/MIME I can use to sign and/or encrypt but mostly

NetworkManager and /etc/resolv.conf

CentOS 7.5 image running on linode.

unbound running on localhost.

Have to use a cron job once a minute to keep /etc/resolv.conf using the
localhost for name resolution - whenever NetworkManager gets restarted
(usually only a system boot) it gets over-written.

It seems every distro has a different way of preventing NetworkManager
from replacing that file.

I found instructions for Fedora that said create
/etc/NetworkManager/conf.d/no-dns.conf containing


That doesn't seem to have any effect.

Poking around, I find a file on boot seems to be created called


A better way to do secure SMTP

Maybe better, I do not know. I do not know right place to recommend
this, I hope it is not too out of place here.

Opportunistic TLS is a concept I do not like. DANE fixes the issues for
system admins willing to implement DNSSEC and add a TLSA record but it
seems many are not, so MTA-STS was invented.

MTA-STS has the same flaw as opportunistic TLS.

C++11 and GCC 5+

This may be common knowledge to some, but it was new to me.

Libraries that use C++11 and are compiled with GCC 4.8.x that CentOS 7.x
has are NOT binary compatible with GCC 5.x or newer.

It seems to only effect C++11.

What you have to do -

create /opt/gcc55 (or whatever)

Rebuild any libraries that use C++11 that you need in something compiled
with GCC 5+ and install them within that prefix.

Then point to them in that prefix when building what you need to build.


The Linux runtime linker seems to get it right (as long as you have
/opt/gcc55/lib64 in path) and not load wrong version

dumb shared library question

Binary compiled on a system with ggc 5.5.0 w/

Because the major version is there shouldn't be any
problems running it on CentOS 7 with, right?

Articles on OpenSSH and Personal Git


Wrote a couple articles on OpenSSH and on running your Git server in a
CentOS 7 environment

<a href="" title=""></a>


<a href="" title=""></a>

And the domain name is honest, there no trackers on that blog. None.

(that blog is actually for a WordPress project not ready for general use
but it seemed like a good place for the articles too)


I am sure they aren't perfect, but they may be of assistance to some.

git public web frontends


Set up a CentOS 7.5 VM linode for git now that github has been bought.

I'm not anti-microsoft but I'm worried they will make changes that I
don't like (e.g. requiring ms account, changing billing, etc.) so I
figured better take control now.

Currently moving my private repos and have them set up in my home
directory there, but my public repos - I want to set them up with a web
interface so people can browse them etc.

get unicode ranges from a TTF ???

Hello list,

Is there a command line tool I run on a ttf font and get a list of the
Unicode Ranges for that that font that would be compatible with the
unicode-range: parameter in a CSS @fontface declaration?

I'm guessing something in the python world probably exists...

Hopefully something that works in CentOS 7

I need something like that for a FLOSS font server project that doesn't
track users.

I don't feel a need to split up a font by unicode range, but a lot of
fonts are already split by their upstream developers according to
language support - e.g.

Thunderbird in CentOS 7.4

With the current Thunderbird I can not connect to one of my IMAP servers
that uses a self-signed cert.

7.4 network issues

Two onboard nics, Intel, eno1 and eno2

If either of them is set to onboot then network won't start.

one error message says :bad vendor preset disabled

Another error message (in red) says Failed to start LSB

If I can find a USB key there is an updated kmod-wl src.rpm that *may*
bring up my wifi, but I am not sure I have access to a USB key at the

The motherboard is supermicro and the onboard nics are Intel which I
thought were well supported, but I do remember going from 7.2 to 7.3 on
a server IPv6 was bricked because of changes to how the /sbin/ifconfig
scripts were configure

Bricked my system

Updated to CentOS 7.4

No wifi.

Extreme frustration with GIMP

I am not a graphics person.

Simple OCSP server ??

Hello list,

I'm contemplating running my own CA to implement the new proposed ISP
for validation of S/MIME certificates via DANE.

I already use self-signed for my MX servers (with 3 1 1 dane records on
TCP port 25) but I don't want to use self-signed for S/MIME for user
specific x.509 certs because

A) That's potentially a lot of DNS records
B) That requires a hash of the e-mail addresses in DNS

Instead, I will be using a wildcard in DNS with an intermediary that
signs the user x.509 certificates.

Using an intermediary to sign their certificates though means I can't
just revoke their

Network Manager / CentOS 7 / local unbound

Hello list -

<a href="" title=""></a>

That says it works for CentOS 5 and I *suspect* the methods there (3
listed) would work, but what is the best way with NetworkManager to set
it up to use the localhost for DNS ?

I'm paranoid about DNS spoofing and really prefer to have a local
instance of DNSSEC enforcing unbound running on my CentOS 7 virtual
machines (e.g.

Quick DANE / self-signed question

I *think* the answer to this is that I am fine.

Last year I only used CA issued certificates.

This year, I am wanting to move to self-signed for SMTP and for
infrastructure domains that are not intended for the public where DANE
can validate. I am convinced DANE does a better job at validating a host
is who it says it is than CA certs do.

I just updated one of my mail servers to self-signed. The signed
certificate expires in few weeks so I can switch back if I did something

<a href="" title=""></a>

That gives a red flag for Unknown Authority.

M.2 PCI-E card

Hello list,

My instinct says the vast majority will "just work" but I'll ask anyway.

I need a low profile PCI-E card that allows for up to 2 M.2 SSD drives
that is known to work with the stock kernel in CentOS 7.

Can anyone recommend one?


Python search path


Working on a project to create clean spec files for libbitcoin for
CentOS 7 (and eventually I want them to work in Fedora 25+ too)

These spec files must work with the user defines an alternate %{_prefix}
before building them.

This means that python components would be installed in /opt/libbitcoin
(or whatever) instead of in /usr so %{python2_sitelib} and
%{python2_sitearch} no longer would apply.

sys.path.append looks like the way to tell python about a new path to
look for stuff, but I'm guessing there are guidelines somewhere for how
that is suppose to properly done from wit

Would this be considered a packaging bug?

<a href="" title=""></a>

The source RPM there uses

%if 0%{?rhel}
# not upstreamed
Patch500: 0001-disable-libe-book-support.patch
Patch501: 0001-fix-build-of-bundled-libzmf-with-boost-1.56.patch
Patch502: 0001-allow-to-build-bundled-libzmf-on-aarch64.patch
Patch503: 0001-impl.-missing-function.patch

(and more than just those) resulting in those patches not being included
in the src.rpm because the rpm was not built on rhel/centos.

My understanding was that platform specific patches were suppose to have
the %if macro where the patch is applied, bu

RHEL 8 speculation ???

Is there any blog that has information on a potential RHEL 8 release date?

boost in 7 is now too old for some things, in addition to gcc. There are
solutions in 7 to those issues but it's starting to feel like 6 felt
shortly before 7 came out, so I wonder if it is getting near to time.

I'm working on a major project bitcoin related and it would be
frustrating to deploy a bunch of CentOS 7 virtual machines only to have
8 come out fairly soon afterwards.

IPv6 broken on Linode

<a href=";t=14570&amp;p=72785" title=";t=14570&amp;p=72785">;t=14570&amp;p=72785</a>

I can not figure out what I need to do.

Apparently according to linode support, the VM is trying to grab an IPv6
address with some privacy stuff enabled by default causing it to not
grab the IPv6 address that is assigned to me.

Nothing I have tried seems to work, and it seems that Linode support are
far more familiar with Ubuntu than CentOS.

I know CentOS follows Red Hat so I'm not suggesting this is CentOS's
fault, but stuff like this really is why I am a much bigger fan of KISS
with simple key=value configuration files that



ran into a problem w/ linode hosted VM where IPv6 address changed after
they migrated it to a different host.

They claim I can fix it with

sed -i 's/slaac private/slaac hwaddr/' /etc/dhcpcd.conf

However there appears to be no dhcpcd.conf on any of my CentOS 7 systems.

What is the CentOS 7 equivalent?

GCC 4.9 in CentOS 7 ??

The following features of the C++11/C++14 standards are not supported by
* std::make_unique function (C++14)
* digit separators (C++14)
* binary literals (C++14)
* generic lambdas (C++14)
If you are using the GNU C compiler collection (gcc) then you need
at least v4.9.x.
configure: error: support for required C++11/C++14 features incomplete

Is there by chance a compat package for gcc 4.9.x available?

I didn't see it in a yum list.

I'm trying to build the latest mkvtoolnix and it looks like CentOS 7 gcc
is just barely too old :-/

Mate and USB headphones

Logitech H540 headphones were working fine.

Suddenly stopped.

Sound Preferences says they are disabled but gives no hints on how to
enable them, or how they became disabled.

Tried rebooting, unplugging them, etc.

Anyone know what is going on?

This motherboard doesn't have onboard sound, this USB is my only option.

Avoiding spam blacklists

Virtual machine for a web application, it is still in testing.

reverse DNS is properly set up.
Postfix only listens on the local host.
Linux firewall drops anything not to port 80, 443, or a custom high
number port I use for SSH.

This postfix is not an open relay, or a relay for anything on the
Internet, it only exists so the web application can send e-mail.

SPF for the domain is correctly set up, DKIM for the host is correctly
set up, when it sends an e-mail and I inspect it - it passes the rDNS,
SPF, and DKIM checks.

So far it has only sent e-mails to addresses I control as the web

quick DANE question

When an SMTP server publishes a TLSA record, will DANE enforcing SMTP
servers refuse to connect if the TLSA record matches the certificate but
the certificate has expired?

spec file frustration (rant)

I'm getting spec files from centos git which is really convenient when
the related source is easy to find. But some things - e.g.