Secured my mail server

I’m near done configuring my mail server. Last night I got sendmail configured to use STARTTLS, and to require it for SMTP AUTH. I now don’t allow cleartext passwords, so I can feel safe using my iPhone to send mail through my server when I’m not at home. Not enforcing STARTTLS wasn’t a big deal for my desktop since it’s on a secure wired LAN with my mail server, but there are times when I want to use my iPhone and laptop to send mail when I’m away from home, and hence I need to enforce crypto for SMTP AUTH.

All works fine using Mail on my hackintosh, Mail on my MacBook Pro, Outlook on my hackintosh, and of course my iPhone. I need to write up everything I did so I can repeat it in the future if necessary.

running my own mail server again

Many years ago, I ran my own mail server for my domains. I eventually stopped, mostly because I wasn’t happy with the amount of effort it required. I also wasn’t happy with the mail user agents that would easily work with it at the time in a secure manner.

Last week I decided I wanted to set up mail service again, mostly because I missed having explicit control and ownership of my mail. So I configured sendmail once again ay my mail transfer agent, and for IMAP I’m using dovecot. I’m using a chain of procmail and dovecot’s deliver as my sendmail local delivery agent, to drop my mail in Maildir format. I’m not switching over to it just yet, but it appears to all be working after many days of configuring and tweaking. I won’t say this is easy; getting it all working after years of not doing any mail administration involved a fair amount of trial and error.

The good news is that I will soon be reachable via a new, shorter email address and will in all likelihood switch to using it as my primary address. Now that I have OS X as my desktop and an iPhone as my smart phone, I have no MUA issues. I don’t need a web browser interface to my mail, though I may install SquirrelMail at some point just to test it.

One of the issues I ran into while doing this… dovecot wanted some newer versions of libraries I already had installed. Those libraries were dependencies of a LOT of software I had already installed from the FreeBSD ports tree. Hence the whole process took me much longer than expected, with a lot of midnight oil burned when portupgrade failed to do what I needed.

My first hackintosh

Two weeks ago I assembled my first hackintosh. I had hoped to buy a new Mac Pro. Unfortunately Apple has not updated it in over 2 years, and the price hurts for hardware that’s 2 years behind. No Thunderbolt, lame video card options without sufficient power supply output to run a modern 3D card, etc. It’s a great machine, but the price is fairly obscene for the age of the components and the power supply weaknesses.

I also considered a 27″ iMac, which is a very nice machine for an all-in-one, but the reality is that I need expandability that doesn’t exist on the iMac. I don’t want external drive enclosures. I also want USB 3.0. And I have a pair of 24″ 1920×1200 monitors I wanted to continue using, if just for the sake of saving money.

So in the end, my best option was a hackintosh. I considered a dual Xeon setup, but the price is high and power management is essentially non-functional on the dual Xeon hackintosh machines. My main goals here were maximum compatibility, reasonable speed, low noise (no screaming CPU fan), and simple maintenance. So I built a fairly simple (and relatively inexpensive) hackintosh based on a Gigabyte Z68 board and Intel I7-2700K CPU with an EVGA GTX570 video card. I am using a USB Bluetooth adapter and an Apple Magic Trackpad since I’ve become addicted to all of the gestures over the last few years. I considered a watercooled video card, but in the end decided I didn’t want the maintenance I’ve had to deal with on my watercooled machines. The Corsair H100 is dandy for my CPU, and since I don’t play 3D games on my computer, my video card isn’t really subject to high heat conditions.

The gory details can be found on my hackintosh1 page. As of today, I have most everything working, including (finally!) sleep and wake. There are some nits with USB connections with my iPhone, but it works if I use particular ports. I have a few items left on the wish list like the SSD, 16G more memory and a new keyboard, plus software. But I’ve been using the machine as my primary desktop for the last 2 weeks and I’m a happy camper. My libDwm library compiles in 7 seconds with no overclocking, which is much faster than was possible with my old dual 32-bit Xeon FreeBSD workstation. I’m also not memory-constrained as I was on that machine. At this point, I can settle in and just use the machine and add my planned upgrades at my leisure.

Kudos to the web sites that support those of us with hardware needs that aren’t met by Apple:,, and others. While I’m a strong supporter of Apple and own (and love) some of their hardware (and have spent many thousands of dollars on it over the years), right now they don’t have desktop hardware that meets my needs at a price point I can tolerate. Hopefully that will change in 2013, but I’ve become very wary of waiting for Apple desktops that meet my needs. The hackintosh fits my needs for now and at the moment is working nearly flawlessly running OS X Lion (10.7.4).

finally upgraded to iPhone 4S

I’ve been limping by with an iPhone 3G since its introduction. I was hoping to wait for the iPhone 5, mostly for LTE and hopefully better battery life (I couldn’t care less about the rumored slightly larger screen size). However, my iPhone 3G has had a crack in the back of the case for a while, and its reception has been sub-par for the last 6 months or more. Most importantly, MobileMe service expires at the end of this month, and the 3G will not run the current iOS in order to use iCloud. In addition, the 3G is slow when running any 4.x version of iOS.

So I had to buy a new iPhone.

I debated switching to Verizon, since my contract with AT&T expired years ago. However, AT&T’s plans better meet my needs. I need to be able to tether, and I need more than 2G data per month. Their 5G plan with hotspot works for me. I had to give up my unlimited data plan, of course. The reality is that I don’t need an unlimited plan without tethering; I use my WiFi at home for most fat content. The hotspot allows me to use my phone as a 3G modem for my MacBook Pro, which I need when I’m working somewhere without WiFi.

I bought a white 32G iPhone 4S with AT&T. I bought it at the Apple Store in the Twelve Oaks shopping mall in Novi, Michigan. If buying an iPhone, I can’t more heartily recommend going to an Apple Store instead of the carrier. The brick-and-mortar Apple Store experience continues to be fantastic, and you’ll leave the store feeling like you just had a glimpse of what the face-to-face retail experience should be. And if you’re using the Apple Store app,you might feel like you’re stealing. 🙂

I’m using a Speck Candyshell Grip case, in yellow. It’s not really the one I want, but of the cases available in the local Apple Store, it’s the one I like the most.

I’m enjoying Siri and other features sorely missing from my old iPhone 3G, but most importantly… I’ve made the switch from MobileMe to iCloud and can rest a little easier.

brownout kills UPS batteries

More than 8 hours of low AC voltage killed the batteries in 2 of my rackmount UPS units. High winds caused the AC voltage in my home to wander between 40 and 80 volts RMS for over 8 hours.

The batteries were due for replacement, but this outage killed them completely. Hopefully the inverters and other parts survived. I can buy new batteries from Batteries Plus, and will do so soon.

A consequence of this outage… my gateway’s BIOS did something very odd, and decided it was going to try to boot from a different drive (which doesn’t even have a master boot record on it). It took me a while to figure it out since there are matching drives in this machine and the BIOS doesn’t give details to differentiate them. But as a result of the downtime, I decided it was time to make sure a complete restoration from my backups works. My gateway machine has a lot of software installed but not much in the way of user data. I restored everything from my backups and it worked just fine. Hooray for a real test of disaster recovery!

I also took the time to move my CVS repository off of my old web server, as well as the DHCP server. So now I can shut that machine down for good. I will run one last full backup before killing it off.

Using Wt (C++ Web Toolkit) for a web site map

It had been many years since I had looked at Wt, a C++ library for developing interactive web applications. Last weekend, I started using it again for a simple site map that’s automatically generated so I don’t have to manually update the map.

The first pass resulted in sitemap. I’m using a TreeView with Wt::WStandardItem objects.

The sitemap application initially generated the TreeView on the fly by traversing the filesystem under my document root, using my existing SiteIndexConfig class (used by my menu generators and my site indexer) for configuration. I knew from the start that this wouldn’t work for deployment, since it’d be too slow with all of the content from my old web server. But I already had classes to traverse the filesystem and pluck out web pages, find their titles (already stored in Xapian by my indexer), etc. It worked for a throwaway prototype.

I then wrote a new application to generate the data for sitemap, which I named (with no originality) mksitemap. It dumps a small binary file from a class named Dwm::WWW:DirectoryTree (derived from Dwm::DirectoryEntry), which can be directly read to populate a Dwm::WWW::SiteMap::DirectoryTree. From the instance of Dwm::WWW::SiteMap::DirectoryTree, I directly create Wt::WStandardItem objects for the Wt::TreeView.

The sitemap application itself is fairly small in terms of lines-of-code:

dwm@www2:/home/dwm/src/dwm/www/apps/sitemap% mcloc .
54 ./
22 ./DwmWWWSiteMapApp.hh
43 ./
28 ./DwmWWWSiteMapDirectoryTree.hh
20 ./

Obviously this isn’t counting the more general-purpose classes used by sitemap:

dwm@www2:/home/dwm/src/dwm/www/classes% mcloc src include
14 include/DwmWWW.hh
27 include/DwmWWWDirectoryTree.hh
41 include/DwmWWWSiteIndexConfig.hh
17 include/DwmWWWUtils.hh
97 src/
243 src/DwmWWWSiteIndexConfig.ll
130 src/

I’m not going to count the lines of code from libDwm; it’s a significant library, I’m only using a small part of it in this application, and it’s no effort to use it since I’ve been working on it for a decade. I’m using the Dwm::IO templates, the Dwm::SysLogger class, the Dwm::StringUtils templates, the Dwm::DirectoryEntry class and the Dwm::Signal class since I’m running under mod_fastcgi.

Migrating my web site to new hardware

Tonight I fished the first pass at migrating my new web site from its development machine to its new home on a nearly identical machine. More information is here.

I’m really enjoying the Supermicro MBD-X7SPA-H-O motherboards in the new web server and gateway.  With 6 SATA ports and dual ethernet, and Intel D510 Atom processors that are easy to keep cool, they work well in a reasonable case.  I’m also really liking the Supermicro CSE-731i-300B cases.  Though they’re significantly larger than I need, they’re inexpensive for the features.  The only modifications I made: I cut an intake hole adjacent the hard drive cage for an 80mm Noctua NF-R8 fan, populated the front intake location with another Noctua NF-R8 fan, and replaced the stock 92mm fan with a Noctua NF-B9.  The Noctua fans are all rated for 150,000 hours, and are quiet.