I'm completely confused here and I'm hoping someone here has a setup they're willing to share, or help me configure things on my end.
My connectivity is through Comcast, who unfortunately, does not offer ipv6 in my area. My connection goes like this: Comcast -> Motorola Surfboard Cable Router -> CentOS 6.5 server
The CentOS server is multi-homed and manages the internal 192.168.x.x network by offering DHCP and firewall service (NATting and others.) DNS lookups are going to Comcast's servers.
I have an IPV6 tunnel through Hurricane Electric (www.tunnelbroker.net). The tunnel is configured and is up and running on the CentOS server. I can ping several IPV6 addresses from it just fine:
ping6 -n ipv6.google.com PING ipv6.google.com(2607:f8b0:400f:801::1006) 56 data bytes 64 bytes from 2607:f8b0:400f:801::1006: icmp_seq=1 ttl=53 time=109 ms 64 bytes from 2607:f8b0:400f:801::1006: icmp_seq=2 ttl=53 time=109 ms 64 bytes from 2607:f8b0:400f:801::1006: icmp_seq=3 ttl=53 time=106 ms ^C --- ipv6.google.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2436ms rtt min/avg/max/mdev = 106.905/108.723/109.756/1.317 ms
What I'd like to do now is have DHCP offer ipv6 addresses as well. Problem is, I don't know how to configure it properly using the information given to me by Hurricane. I have my client address which is what the CentOS tunnel interface is. Then I have a routed /64 and /48 prefix which I *think* is what I'm supposed to use for my internal network (according to their info popup window) but I don't know how to configure DHCPd to use that and then route through the ipv6 interface.
So does anyone here have a tunnel from HE and are using DHCP on an internal network handing out ipv6 addresses? Any suggestions of how to configure dhcpd6.conf?
Thanks all. Ash
I too am interested in this. I use a tunnel through Sixxs and I assign IPv6 addresses using radvd. I have radvd, aiccu, DNS, DHCP (v4 only) and IPv6 routing all running on a CentOS 6.5 server. All of my servers and workstations are able to ping6 to outside targets, and anything with a browser installed can open ipv6.google.com.
So far I have figured out that you have to run TWO instances of DHCP. One instance issues IPv4 and the other issues IPv6. I have not gone so far as to actually set up a second instance of DHCP.
My main questions revolve around getting internal IPv6 addresses updated into the DNS server. Radvd won't do it. DHCPv6 seems to be deprecated though it would probably work.
My ISP is AT&T DSL. They say they offer IPv6, but I found out recently that it is really a 6rd tunnel. My Zoom router knows how to deal with IPv6 but not 6rd. Therefore I have nothing to gain by switching from Sixxs.
Within the 6 months or so I expect Google Fiber to become available to me. That changes everything ... Or nothing!
Bill Gee
On Wednesday, October 01, 2014 03:13:34 Ashley M. Kirchner wrote:
I'm completely confused here and I'm hoping someone here has a setup they're willing to share, or help me configure things on my end.
My connectivity is through Comcast, who unfortunately, does not offer ipv6 in my area. My connection goes like this: Comcast -> Motorola Surfboard Cable Router -> CentOS 6.5 server
The CentOS server is multi-homed and manages the internal 192.168.x.x network by offering DHCP and firewall service (NATting and others.) DNS lookups are going to Comcast's servers.
I have an IPV6 tunnel through Hurricane Electric (www.tunnelbroker.net). The tunnel is configured and is up and running on the CentOS server. I can ping several IPV6 addresses from it just fine:
ping6 -n ipv6.google.com PING ipv6.google.com(2607:f8b0:400f:801::1006) 56 data bytes 64 bytes from 2607:f8b0:400f:801::1006: icmp_seq=1 ttl=53 time=109 ms 64 bytes from 2607:f8b0:400f:801::1006: icmp_seq=2 ttl=53 time=109 ms 64 bytes from 2607:f8b0:400f:801::1006: icmp_seq=3 ttl=53 time=106 ms ^C --- ipv6.google.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2436ms rtt min/avg/max/mdev = 106.905/108.723/109.756/1.317 ms
What I'd like to do now is have DHCP offer ipv6 addresses as well. Problem is, I don't know how to configure it properly using the information given to me by Hurricane. I have my client address which is what the CentOS tunnel interface is. Then I have a routed /64 and /48 prefix which I *think* is what I'm supposed to use for my internal network (according to their info popup window) but I don't know how to configure DHCPd to use that and then route through the ipv6 interface.
So does anyone here have a tunnel from HE and are using DHCP on an internal network handing out ipv6 addresses? Any suggestions of how to configure dhcpd6.conf?
Thanks all. Ash _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
All of my servers and workstations are able to ping6 to outside targets, and anything with a browser installed can open ipv6.google.com.
So far I have figured out that you have to run TWO instances of DHCP. One instance issues IPv4 and the other issues IPv6. I have not gone so far as to actually set up a second instance of DHCP.
As long as you run a router advertisement daemon clients will self-assign routable addresses, you don't really need DHCPv6 if you are also running DHCPv4, you can set DNS (even an IPv6 DNS server) or any other configuration using the DHCPv4 daemon.
— Mark Tinberg mark.tinberg@wisc.edu
That's the thing Mark, configuring it is where I'm stuck. I'm unsure of what addresses I'm supposed to be using as the prefixes that Hurricane Electric gives me for /64 and /48, are different from the tunnel's endpoint address. At least I think I'm reading it right from the tunnel's information page.
So when I use those to configure dhcpd6.conf and try to run (the second) dhcpd, it tells me it hasn't been configure to use any interface. Even though I'm telling it to on the command line I'm using to test the configuration. Regardless of what interface I tell it to use, it fails.
So I was hoping someone has a working config that works with HE's setup. On Oct 1, 2014 9:24 AM, "Mark Tinberg" mark.tinberg@wisc.edu wrote:
All of my servers and workstations are able to ping6 to outside targets, and anything with a
browser
installed can open ipv6.google.com.
So far I have figured out that you have to run TWO instances of DHCP.
One
instance issues IPv4 and the other issues IPv6. I have not gone so
far as
to actually set up a second instance of DHCP.
As long as you run a router advertisement daemon clients will self-assign routable addresses, you don't really need DHCPv6 if you are also running DHCPv4, you can set DNS (even an IPv6 DNS server) or any other configuration using the DHCPv4 daemon.
— Mark Tinberg mark.tinberg@wisc.edu _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
That's the thing Mark, configuring it is where I'm stuck. I'm unsure of what addresses I'm supposed to be using as the prefixes that Hurricane Electric gives me for /64 and /48, are different from the tunnel's endpoint address. At least I think I'm reading it right from the tunnel's information page.
So an he.net tunnel has a /64 used as a point-to-point network which is what runs on the IPv4 tunnel, and either a single /64 that you route for your internal subnet, or a /48 which allows you to carve out 65535 subnets of /64 each, equivalent addressing to an IPv4 /16 where each address is NATting for an entire network itself.
So pick the first /64 subnet inside your /48 allocated to you and route that internally and set that up in your router advertisement daemon.
For example if your point-to-point is 2001:470:AAAA:1234::1/64 (HE.net) -- 2001:470:AAAA:1234::2/64 (your router)
and your routed subnets are out of 2001:470:BBBB:1234::/48
2001:470:BBBB:1234::/64 2001:470:BBBB:1235::/64 ...
Then you'd have say 2001:470:BBBB:1234::1/64 on one router interface and advertise 2001:470:BBBB:1234::/64
— Mark Tinberg, System Administrator Division of Information Technology - Network Services University of Wisconsin - Madison mark.tinberg@wisc.edu
Thanks for the explanation Mark. I will try that when I get home and get on my test setup. I'll report back with my findings or more inquiries.
On Wed, Oct 1, 2014 at 11:31 AM, Mark Tinberg mark.tinberg@wisc.edu wrote:
That's the thing Mark, configuring it is where I'm stuck. I'm unsure of what addresses I'm supposed to be using as the prefixes that Hurricane Electric gives me for /64 and /48, are different from the tunnel's
endpoint
address. At least I think I'm reading it right from the tunnel's information page.
So an he.net tunnel has a /64 used as a point-to-point network which is what runs on the IPv4 tunnel, and either a single /64 that you route for your internal subnet, or a /48 which allows you to carve out 65535 subnets of /64 each, equivalent addressing to an IPv4 /16 where each address is NATting for an entire network itself.
So pick the first /64 subnet inside your /48 allocated to you and route that internally and set that up in your router advertisement daemon.
For example if your point-to-point is 2001:470:AAAA:1234::1/64 (HE.net) -- 2001:470:AAAA:1234::2/64 (your router)
and your routed subnets are out of 2001:470:BBBB:1234::/48
2001:470:BBBB:1234::/64 2001:470:BBBB:1235::/64 ...
Then you'd have say 2001:470:BBBB:1234::1/64 on one router interface and advertise 2001:470:BBBB:1234::/64
— Mark Tinberg, System Administrator Division of Information Technology - Network Services University of Wisconsin - Madison mark.tinberg@wisc.edu _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Wednesday, October 01, 2014 15:23:52 Mark Tinberg wrote:
All of my servers and workstations are able to ping6 to outside targets, and anything with a browser installed can open ipv6.google.com.
So far I have figured out that you have to run TWO instances of DHCP. One instance issues IPv4 and the other issues IPv6. I have not gone so far as to actually set up a second instance of DHCP.
As long as you run a router advertisement daemon clients will self-assign routable addresses, you don't really need DHCPv6 if you are also running DHCPv4, you can set DNS (even an IPv6 DNS server) or any other configuration using the DHCPv4 daemon.
— Mark Tinberg mark.tinberg@wisc.edu
That is true - radvd does cause all my systems to self-assign a public IPv6 address. The problem is that radvd does NOT cause my DNS to get those addresses. The result is I can use IPv6 internally only by giving the address. I cannot use it by hostname.
The only exception is the server hosting DNS. DNS somehow knows the IPv6 address of its host and will deliver it on demand. I can ssh to that server by name and get an IPv6 connection.
I suppose I could create static records in DNS. Those self-assigned addresses are not going to change until I go on Google Fiber. For that matter, I could use the FE80:: link-local addresses. They are not routable, but I don't need that. Being based on the MAC address, they won't change even when I move to Google Fiber.
Still - it would be nice to have DNS automatically get IPv6 addresses just like DHCP does now for IPv4.
Bill Gee
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Wednesday, October 01, 2014 15:23:52 Mark Tinberg wrote:
All of my servers and workstations are able to ping6 to outside targets, and anything with a browser installed can open ipv6.google.com.
So far I have figured out that you have to run TWO instances of DHCP. One instance issues IPv4 and the other issues IPv6. I have not gone so far as to actually set up a second instance of DHCP.
As long as you run a router advertisement daemon clients will self-assign routable addresses, you don't really need DHCPv6 if you are also running DHCPv4, you can set DNS (even an IPv6 DNS server) or any other configuration using the DHCPv4 daemon.
That is true - radvd does cause all my systems to self-assign a public IPv6 address. The problem is that radvd does NOT cause my DNS to get those addresses. The result is I can use IPv6 internally only by giving the address. I cannot use it by hostname.
I suppose I could create static records in DNS. Those self-assigned addresses are not going to change until I go on Google Fiber. For that matter, I could use the FE80:: link-local addresses. They are not routable, but I don't need that. Being based on the MAC address, they won't change even when I move to Google Fiber.
I would create static AAAA(ddress) records using the FF:FE EUI64 self-assigned addresses as those are stable without any configuration required unlike DHCPv4 assigned addresses where dynamic updates or static MAC/IP configuration are needed. If you allow it on your firewall you can also easily connect to services with public IPv6 addresses externally, if you get IPv6 when you are out and about (Verizon wireless is all IPv6 I think).
It might also be good to use Avahi mDNS/Zeroconf internally which will automatically pick up the addresses of your internal hosts without any configuration needed, which might be simpler than running DNS if you just have a single subnet and only care about the names locally.
Still - it would be nice to have DNS automatically get IPv6 addresses just like DHCP does now for IPv4.
So is it correct to say that you currently have dynamic DNS configured between your DHCPv4 daemon and your DNS daemon so that DNS is automatically populated with A(ddress) records for your internal hosts with their RFC 1918 IPs.
— Mark Tinberg mark.tinberg@wisc.edu
On 10/01/2014 03:06 PM, Mark Tinberg wrote:
On Wednesday, October 01, 2014 15:23:52 Mark Tinberg wrote:
All of my servers and workstations are able to ping6 to outside targets, and anything with a browser installed can open ipv6.google.com.
So far I have figured out that you have to run TWO instances of DHCP. One instance issues IPv4 and the other issues IPv6. I have not gone so far as to actually set up a second instance of DHCP.
As long as you run a router advertisement daemon clients will self-assign routable addresses, you don't really need DHCPv6 if you are also running DHCPv4, you can set DNS (even an IPv6 DNS server) or any other configuration using the DHCPv4 daemon.
That is true - radvd does cause all my systems to self-assign a public IPv6 address. The problem is that radvd does NOT cause my DNS to get those addresses. The result is I can use IPv6 internally only by giving the address. I cannot use it by hostname. I suppose I could create static records in DNS. Those self-assigned addresses are not going to change until I go on Google Fiber. For that matter, I could use the FE80:: link-local addresses. They are not routable, but I don't need that. Being based on the MAC address, they won't change even when I move to Google Fiber.
I would create static AAAA(ddress) records using the FF:FE EUI64 self-assigned addresses as those are stable without any configuration required unlike DHCPv4 assigned addresses where dynamic updates or static MAC/IP configuration are needed. If you allow it on your firewall you can also easily connect to services with public IPv6 addresses externally, if you get IPv6 when you are out and about (Verizon wireless is all IPv6 I think).
If you are talking about Verizon MiFi offering, it provides IPv6 addressing and works well. I use it for my IPv6 testing. Double natted IPv4 is also available (your phone has a natted IPv4 address and nats to the MiFi devices).
It might also be good to use Avahi mDNS/Zeroconf internally which will automatically pick up the addresses of your internal hosts without any configuration needed, which might be simpler than running DNS if you just have a single subnet and only care about the names locally.
Still - it would be nice to have DNS automatically get IPv6 addresses just like DHCP does now for IPv4.
So is it correct to say that you currently have dynamic DNS configured between your DHCPv4 daemon and your DNS daemon so that DNS is automatically populated with A(ddress) records for your internal hosts with their RFC 1918 IPs.
— Mark Tinberg mark.tinberg@wisc.edu _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Wednesday, October 01, 2014 19:06:11 Mark Tinberg wrote:
On Wednesday, October 01, 2014 15:23:52 Mark Tinberg wrote:
All of my servers and workstations are able to ping6 to outside targets, and anything with a browser installed can open ipv6.google.com.
So far I have figured out that you have to run TWO instances of DHCP. One instance issues IPv4 and the other issues IPv6. I have not gone so far as to actually set up a second instance of DHCP.
As long as you run a router advertisement daemon clients will self-assign routable addresses, you don't really need DHCPv6 if you are also running DHCPv4, you can set DNS (even an IPv6 DNS server) or any other configuration using the DHCPv4 daemon.
That is true - radvd does cause all my systems to self-assign a public IPv6 address. The problem is that radvd does NOT cause my DNS to get those addresses. The result is I can use IPv6 internally only by giving the address. I cannot use it by hostname.
I suppose I could create static records in DNS. Those self-assigned addresses are not going to change until I go on Google Fiber. For that matter, I could use the FE80:: link-local addresses. They are not routable, but I don't need that. Being based on the MAC address, they won't change even when I move to Google Fiber.
I would create static AAAA(ddress) records using the FF:FE EUI64 self-assigned addresses as those are stable without any configuration required unlike DHCPv4 assigned addresses where dynamic updates or static MAC/IP configuration are needed. If you allow it on your firewall you can also easily connect to services with public IPv6 addresses externally, if you get IPv6 when you are out and about (Verizon wireless is all IPv6 I think).
It might also be good to use Avahi mDNS/Zeroconf internally which will automatically pick up the addresses of your internal hosts without any configuration needed, which might be simpler than running DNS if you just have a single subnet and only care about the names locally.
Still - it would be nice to have DNS automatically get IPv6 addresses just like DHCP does now for IPv4.
So is it correct to say that you currently have dynamic DNS configured between your DHCPv4 daemon and your DNS daemon so that DNS is automatically populated with A(ddress) records for your internal hosts with their RFC 1918 IPs.
— Mark Tinberg mark.tinberg@wisc.edu
Hi Mark -
Yes - I have named and dhcpd both running on a CentOS 6.5 server. Dhcpd is configured to update named whenever it gives out a lease. It took me a while to figure out the incantations. It has been running well for several years now.
I don't need to resolve my hostnames outside my private network, so the EUI64 addresses will be fine. It'll be a pain collecting them, but that's a one-time job and I can write a script to redo them if needed.
I guess there is one more aspect to this ... Delivering the IPv6 address of my named server to clients. It is really not necessary since named can give IPv6 answers no matter which protocol the question comes in on. For that matter, since the resolv.conf file on all hosts is controlled by dhclient, I am not sure it is even possible. Maybe dhcpd can deliver both an IPv4 and IPv6 address for name resolver.
Research required! :-)
Bill Gee
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I don't need to resolve my hostnames outside my private network, so the EUI64 addresses will be fine. It'll be a pain collecting them, but that's a one-time job and I can write a script to redo them if needed.
might I suggest "ping6 ff02::1%em0" or whatever interface is appropriate, to ping the all-hosts multicast address, you'll get all the fe80:: addresses for hosts which respond so you can easily grab all the host-part of the IPv6 addresses, just replace fe80:: with your routable subnet number. You can figure out which IPv6 address corresponds with which IPv4 address by comparing the neighbor/arp tables, "/sbin/ip -6 neighbor ; /sbin/ip -4 neighbor"
I guess there is one more aspect to this ... Delivering the IPv6 address of my named server to clients.
As you point out you don't need to really do anything here as the DNS payload is totally separate from which protocol you use to talk to DNS, you can have dhcpd set IPv6 entries in /etc/resolv.conf if you want but it's not required.
— Mark Tinberg mark.tinberg@wisc.edu
Bill Gee <bgee@...> writes:
On Wednesday, October 01, 2014 15:23:52 Mark Tinberg wrote:
All of my servers and workstations are able to ping6 to outside targets, and anything with a browser installed can open ipv6.google.com.
So far I have figured out that you have to run TWO instances of DHCP.
One
instance issues IPv4 and the other issues IPv6. I have not gone so
far
as to actually set up a second instance of DHCP.
As long as you run a router advertisement daemon clients will self-
assign
routable addresses, you don't really need DHCPv6 if you are also running DHCPv4, you can set DNS (even an IPv6 DNS server) or any other configuration using the DHCPv4 daemon.
— Mark Tinberg mark.tinberg <at> wisc.edu
That is true - radvd does cause all my systems to self-assign a public
IPv6
address. The problem is that radvd does NOT cause my DNS to get those addresses. The result is I can use IPv6 internally only by giving the address. I cannot use it by hostname.
The only exception is the server hosting DNS. DNS somehow knows the IPv6 address of its host and will deliver it on demand. I can ssh to that
server
by name and get an IPv6 connection.
<SNIP> Ran into this a couple of years ago when I was playing with IPv6. I guess it hasn't changed since then.
The problem is that dhcpd and dhcpd6 are two separate services and dhclient only talks to one of them. So, you can get your client IPv4 addresses into DNS or you can get your IPv6 addresses in but not both through DHCP and dynamic DNS updates. There is probably a way to get both addresses in using a shell script that runs on each client but I didn't see a way to do it securely.
Cheers, Dave
O/S: centos 5.11 fresh install and updated this week. Postfix: most recent yum update this week
Postfix is set-up to work but do not answer to 'helo'; but sendmail can. I do not have this situation in 5.4
Do somebody can figure out where I'm wrong?
Am 03.10.2014 um 12:52 schrieb Michel Donais:
O/S: centos 5.11 fresh install and updated this week. Postfix: most recent yum update this week
Postfix is set-up to work but do not answer to 'helo'; but sendmail can. I do not have this situation in 5.4
Do somebody can figure out where I'm wrong?
Log content and configuration details will be necessary.
Alexander
On Fri, October 3, 2014 5:52 am, Michel Donais wrote:
O/S: centos 5.11 fresh install and updated this week. Postfix: most recent yum update this week
Postfix is set-up to work but do not answer to 'helo'; but sendmail can. I do not have this situation in 5.4
Do somebody can figure out where I'm wrong?
I did have to resolve disaster: smtp (both clear text and SSL + sasl auth) got broken. It turned out to be postfix package that came with CentOS 5.11 . I do not know details yet: with disaster you first make things work, then figure out what happened and what is to blame. My temporary fix was quick (it was troubleshooting that took an hour or so): I rolled back postfix package:
rpm -Uvh --oldpackage http://bay.uchicago.edu/centos/5.10/os/x86_64/CentOS/postfix-2.3.3-6.el5.x86...
You may want to replace my mirror address bay.uchicago.edu with your favorite mirror (and may change to 32 bit location if your box is 32 bit). After that is done do
/etc/rc.d/init.d/postfix restart
And yes, I do feel shame for not testing update before installing it...
Note: you may go into details of how to really fix that (which I hadn't chance to do for my servers), this dirty fix will just let you get out of disaster quickly.
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Hi Valeri,
Valeri Galtsev wrote
then figure out what happened and what is to blame.
Thanks for the warning. I've to update my CentOS 5.10 postfix mail server, too.
Could you please send your results to this list?
For the time being, I am adding an exlcude for postfix to /etc/yum.conf.
Greetings from Germany
Markus Steinborn
I have a CentOS5 with postfix mailserver that I updated to 5.11, no problems. I see only one rpmnew file, main.cf.rpmnew. Is it possible that the people having problems had not modified main.cf, and it was updated?
On Fri, Oct 03, 2014 at 07:37:32PM +0200, Markus Steinborn wrote:
Hi Valeri,
Valeri Galtsev wrote
then figure out what happened and what is to blame.
Thanks for the warning. I've to update my CentOS 5.10 postfix mail server, too.
Could you please send your results to this list?
For the time being, I am adding an exlcude for postfix to /etc/yum.conf.
Greetings from Germany
Markus Steinborn _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Fri, October 3, 2014 2:13 pm, Greg Lindahl wrote:
I have a CentOS5 with postfix mailserver that I updated to 5.11, no problems. I see only one rpmnew file, main.cf.rpmnew. Is it possible that the people having problems had not modified main.cf, and it was updated?
It may be different depending on what your setup is... and I hadn't chance to go to the bottom of this. Anyway, my case is: postfix with SSL (and non-SSL), with syrus-sasl authentication on SSLed port done via dovecot. After update it started hanging smtp connection (on non-SSLed port at least) after "EHLO ...." command. But I don't have full list of problems in my case. In disaster you fix first and investigate later. I doubt I'm different from other sysadmins in that.
FWIW
Valeri
On Fri, Oct 03, 2014 at 07:37:32PM +0200, Markus Steinborn wrote:
Hi Valeri,
Valeri Galtsev wrote
then figure out what happened and what is to blame.
Thanks for the warning. I've to update my CentOS 5.10 postfix mail server, too.
Could you please send your results to this list?
For the time being, I am adding an exlcude for postfix to /etc/yum.conf.
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
I made a test update of only Postfix and don't see a problem. There's indeed a new main.cf file saved as main.cf.rpmnew and there's also a new main.cf.default file which contains all default settings of postconf.
The data_directory apparently changed from /etc/postfix to /var/lib/postfix which affects the SSL relevant file prng_exch. Postfix redirects access from old to the new location, maybe you had a problem because of this? Selinux? The path is in the new main.cf(.rpmnew), but not in my old main.cf file. However, as it is the default it takes effect, anyway.
Oct 6 11:17:46 d15 postfix/tlsmgr[5642]: warning: request to update file /etc/postfix/prng_exch in non-postfix directory /etc/postfix Oct 6 11:17:46 d15 postfix/tlsmgr[5642]: warning: redirecting the request to postfix-owned data_directory /var/lib/postfix
with syrus-sasl authentication on SSLed port done via dovecot.
This confused me a bit first. I assume you just meant to say SASL, no Cyrus involved. Same here. No matter, if SSL or not.
Kai
On Mon, October 6, 2014 5:12 am, Kai Schaetzl wrote:
I made a test update of only Postfix and don't see a problem. There's indeed a new main.cf file saved as main.cf.rpmnew and there's also a new main.cf.default file which contains all default settings of postconf.
The data_directory apparently changed from /etc/postfix to /var/lib/postfix which affects the SSL relevant file prng_exch. Postfix redirects access from old to the new location, maybe you had a problem because of this? Selinux? The path is in the new main.cf(.rpmnew), but not in my old main.cf file. However, as it is the default it takes effect, anyway.
Kay, thanks a lot for your kind reply and your insight. I'll take a look on some development server to see if that was my problem (data_directory change). It is awfully non-Enterprise to do that withing the same release (meaning 5, not re-spon 5.11). I was better opinion about RedHat team...
No it is not Selinux (which is off and I have my opinion about Selinux...). And no, it is not main.cf, rpm does excellent job keeping them in place and creation ...rpmnew). Thhough in this case it has been (likely that is the case) defeated by layout of files changed...
Oct 6 11:17:46 d15 postfix/tlsmgr[5642]: warning: request to update file /etc/postfix/prng_exch in non-postfix directory /etc/postfix Oct 6 11:17:46 d15 postfix/tlsmgr[5642]: warning: redirecting the request to postfix-owned data_directory /var/lib/postfix
with syrus-sasl authentication on SSLed port done via dovecot.
This confused me a bit first. I assume you just meant to say SASL, no Cyrus involved. Same here. No matter, if SSL or not.
You are right, it is dovecot SASL, not cyrus SASL.... just slip of my tongue.
Thanks again!
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
-
Alexander Dalloz -
Ashley M. Kirchner -
Bill Gee -
David G. Miller -
Greg Lindahl -
Kai Schaetzl -
Mark Tinberg -
Markus Steinborn -
Michel Donais -
Robert Moskowitz -
Valeri Galtsev