Caffeine

Introduce our good friend caffeine. It’s always good for a pick me up, especially when I’m feeling slow in the morning. I’m not a coffee drinker but traveling in India and Southeast Asia got me hooked on a good cup of tea. Chai is my preference, but not the sugary kind you would get out of a box at Starbucks. I have a milk frother at home that makes a nice latte-esque cup from black tea leaves and spices. Side note: if you want a no-sugar-added chai at a Starbucks, ask for a “Chai Tea Misto”. It’s chai tea bags with steamed milk priced like a tea so about half the cost of a chai latte. Half the Starbucks don’t know how to make it though, so be clear it’s not a latte.

As a Northern Californian going through a drought, I have separately been working to minimize my showers. My shower takes about 2 minutes to get hot water so we let it run into a 5-gallon bucket. Once it gets warm, I would jump in, get wet, turn the water off. Wash my hair, my body and then turn the water back on to rinse before getting out. As someone who loves long, hot showers, this is both soul-crushing and terribly efficient. Combined with better managing our sprinklers and more water-efficient washer/dryer, we cut our overall water usage by 35%.

Let’s weave these threads together. Busy life. Little sleep. Newborn baby. Water restrictions. How can I optimize my physical feeling each day?

Cold Showers

There’s a lot of research and/or hype about cold showers in the fitness world. They are claimed to help with fat loss and promote muscular recovery among other things. I am not a researcher and have no opinion on those. What I can tell you is that cold showers can wake up even the most sleep deprived new parent and kick start your day. Best part? The effect lasts for hours!

If you search for “cold shower challenge”, you’ll find lots of suggested protocols. I started with a regular hot shower and progressively added cold water finishes. Just for a few seconds. Then a few more seconds. Then a few more and so on until I worked up to half my shower under cold water. Here’s how I’m doing it now:

1. Run a hot shower (into the bucket to save water which we use to water plants)
2. Get in right as the water gets hot, scrub my face vigorously, quickly get wet (under 60 seconds)
3. Turn water off, wash my hair and body
4. Turn water back on to hot and begin to rinse
5. Immediately move water to cold, as cold as you can without the shower turning off
6. Try to remain calm as your body goes from 130F water to 60F water, finish rinsing off (another 60 seconds). Embrace the feeling.
7. Exit the shower WIDE AWAKE

My mind is buzzing as I dry off and I walk into my home office with not so much a thought about needing a cup of chai.

My home is generally pretty cold so I used to stay in the shower for long periods of time to warm up my cold extremities. Now when I turn the cold water rinse off, the air temperature feels warm and I’m in no rush to dry off or put on clothes. If you’ve ever gone wakeboarding in a cold lake, it’s like how falling back into the water can feel great after the wind chill factor of being towed behind a boat at 20mph.

I still enjoy a good cup of chai because it’s delicious but I have found that using caffeine as a crutch has all but disappeared. And in a weird way, I now enjoy the feeling of shock as the cold water hits my head and the adrenaline starts running.

You can easily start with a 5-second cold finish. Move that to 10. Then 20. How about a minute? Try it out and tell me what happens below!

Once home I searched for a database of conjugated verbs to make flash cards that, rather than working with infinitives, would read simple actions like “They walk”, “He used to sing” or “We would have spoken” and the reverse would have the proper Spanish conjugation. Despite my uber Google skills, I was unable to find any non-commercial products. However, I did come across one great resource that had the data I needed.

Fred Jehle, formerly a professor at Indiana University-Purdue University Fort Wayne, published approximately 600 verbs, fully conjugated in all moods and tenses, on his website in 1998. The resource helped students improve their verb use in addition to a variety of notes on other aspects of the language. I contacted Mr. Jehle to inquire if a database of his verbs were behind the scenes but unfortunately only the static web pages exist.

Out of curiosity, I opened up a couple of pages to see what the source HTML looked like and, luckily, it was pretty uniform. I broke out my editor and wrote a script to read in each page, parse out the various conjugations and dump them in to a (PostgreSQL 9.x) database. The roughly 600 verbs converted to 11,467 combinations of moods + tenses.

In coordination with copyright holder Professor Jehle, this data is available free of charge via a Creative Commons license for anyone to use for non-commercial purposes so long as you provide attribution. If you alter, transform or build upon this work then you may distribute the resulting work only under the same license.

My thanks go to Mr. Jehle for quickly answering my questions and allowing me to publish the data for other would-be Spanish students. I recommend that you also check out his website for additional Spanish content at http://users.ipfw.edu/jehle/VERBLIST.HTM.

Upgrade to CHKUSER 2.0.9

CHKUSER 2.0.9 includes one update that is very important to us: CHKUSER_DISABLE_VARIABLE. This enhancements allows us to disable CHKUSER checks for certain relays. In our case, our web application servers relay mail and sometimes the TO address is invalid. Without this change, CHKUSER would deny even sending the email so bad emails would queue up on the web servers. What we want to happen is for the mail server to accept them, bounce them and let our bounce handling routines run notifying the sender of the bad address. Here’s the necessary steps:

1. Download development package qmail-toaster-1.03-1.3.21.src.rpm which includes the CHKUSER 2.0.9 code and a few other enhancements (see this thread)
2. rpm -Uvh qmail-toaster-1.03-1.3.21.src.rpm
3. bunzip2 /usr/src/redhat/SOURCES/qmailtoaster-1.3.2.patch.bz2
4. vi /usr/src/redhat/SOURCES/qmailtoaster-1.3.2.patch
5. Search for “/* #define CHKUSER_DISABLE_VARIABLE” and remove the comments, save
6. Search for “/* #define CHKUSER_ENABLE_USERS_EXTENSIONS” and remove the comments to re-enable dash-aliasing
7. bzip2 /usr/src/redhat/SOURCES/qmailtoaster-1.3.2.patch
8. cd /usr/src/redhat/SPECS
9. rpmbuild -bb –with cnt50 –target i686 qmail-toaster.spec
10. rpm -Uvh /usr/src/redhat/RPMS/i686/qmail-toaster-1.3.2.rpm

Note, I’m running on x64 CentOS 5. For some reason I had to specify the target as i686 as without the target it wanted to generate an i386 binary while everything else is i686. I didn’t know if that would cause problems so I specified the target explicitly.

For any IP address we want to bypass the CHKUSER checks, we simply add an entry to /etc/tcprules.d/tcp.smtp with a RELAYCLIENT variable. An entry might look like:

192.168.0.1:allow,RELAYCLIENT=""

Finally, the RPM update for qmail-toaster overrides your SSL certificates for SMTP. To restore my real certificates, I had to perform the following steps (lifted from coregilmore.com):

# cp /etc/httpd/certs/mail.msr.com.pem /var/qmail/control/servercert.pem
# ln -s /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem
# chown -h qmaild:root /var/qmail/control/clientcert.pem
# chmod 400 /var/qmail/control/servercert.pem
# qmailctl restart

mail.msr.com.pem is simply a single concatenated file containing your key, certificate and any intermediate certificates (required for registrars like Go Daddy for example):

# cat /path/to/ssl_cert.key /path/to/ssl_cert.crt /path/to/gd_intermediate_bundle.crt > /var/qmail/control/servercert.pem

Updated Mailfilter Script

We also expanded our mailfilter script to be a little bit smarter and handle DSPAM better. Here’s the latest:

SHELL="/bin/bash"
import EXT
import HOST

VUSER=`echo ${EXT%-*}`
export VUSER
USERHOME=`/mail/bin/vuserinfo -d $VUSER@$HOST`
export USERHOME

MARKTIME=`date +%s.%N`
UNIQUE=`date +%N`

logfile "/var/log/maildrop/mailfilter.log"

# Test for the existance of the Junk directory.  Create it if it doesn't exist
VERBOSE=1
log "$VUSER@$HOST[$UNIQUE] : Start user filter"

# make sure the Junk folder exists and is subscribed too
`test -d $USERHOME/Maildir/.Junk`

if ( $RETURNCODE == 1 )
{
    `/usr/bin/maildirmake -f Junk $USERHOME/Maildir`
    `echo INBOX.Junk >> $USERHOME/Maildir/courierimapsubscribed`
}

# make sure the retrain folder exists
`test -d $USERHOME/Maildir/.JunkRetrain`

if ( $RETURNCODE == 1 )
{
    `/usr/bin/maildirmake -f JunkRetrain $USERHOME/Maildir`
    `echo INBOX.JunkRetrain >> $USERHOME/Maildir/courierimapsubscribed`
}

# now analyze the SA header
if (/^X-Spam-Status: Yes/)
{
        log "$VUSER@$HOST[$UNIQUE] : SpamAssassin found SPAM"
        to "$USERHOME/Maildir/.Junk"
}
else
{
        # spamassassin thinks its ham, which means nothing, because SA sucks
        # so now we check with dspam

        # warning: exception must have one space and then the curly bracket or else syntax errors are generatead
        exception {
                xfilter "/usr/local/bin/dspam --deliver=innocent,spam --stdout --user $USERHOME"
        }

        if (/^X-DSPAM-Result: Spam/)
        {
                # dspam says spam
                log "$VUSER@$HOST[$UNIQUE] : DSPAM found SPAM"
                to "$USERHOME/Maildir/.Junk"
        }
        else
        {
                # ham in both places, deliver
                log "$VUSER@$HOST[$UNIQUE] : DSPAM found HAM (returncode = $RETURNCODE)"
                if (/^X-DSPAM-Result: Innocent/)
                {
                        log "$VUSER@$HOST[$UNIQUE] : HAM includes X-DSPAM-Result: Innocent"
                }
                else
                {
                        if (/^X-DSPAM-Result: Whitelisted/)
                        {
                                log "$VUSER@$HOST[$UNIQUE] : HAM includes X-DSPAM-Result: Whitelisted"
                        }
                        else
                        {
                                log "$VUSER@$HOST[$UNIQUE] : HAM does NOT include X-DSPAM-Result: Innocent/Whitelisted"
                        }
                }
                to "$USERHOME/Maildir/"
        }
}

Since we’re dropping SpamAssassin, this file could be streamlined to be DSPAM specific but it doesn’t hurt to leave it in the event we decide to re-enable it at a later date. Simply save the script somewhere and enable it via a .qmail file in a user directory with the following:

|preline /usr/bin/maildrop /path/to/mailfilter-to-spam-plus-dspam

Here are some links to building “mileage runs” – intentionally bad airline itineraries designed to rack up additional frequent flyer miles. Also in the list below are some unique or useful itinerary planning tools. I was particularly blown away by ITA’s Matrix which lets you specify how many hops, on what airlines, in what class of travel and with what connections to build a trip. These will come in handy when I get on the Amazing Race.

• InsideFlyer article on mileage runs – with links to tools
• FlyerTalk mileage run tools – an epic list of tools
• FlyerTalk mileage run strategy – how one MR fanatic goes about booking his trips
• Travelocity DreamMap – display cheap trips on a map using a starting location, show where you can go on the cheap
• HappyFlier – strategies on finding routes
• ITA Software’s Matrix Planner – lets you specify arcane airline codes to build exactly the route desired and price it
• Great Circle Mapper – for sticking in a flight route like SFO-LAX-IAH-MCO and figuring out the total miles. 2,570 if you’re counting.
• Fare Codes, Award calculations, Mileage charts
• United Origin-Destination mileage calculator (also shows many valid routing options)

Updated 6/22/12 – United has a mileage calculator between two airports that also shows lots of valid routes which can be used to help book award itineraries.

Also, need to plug MileValue.com. Scott helped me rebook an award ticket to save me 40k miles and upgrade to 1st class one direction plus add a free one-way. You can hire him to do the same!

After hearing my friend rave about how great an SSD made his laptop, I went down the upgrade path instead. From what I could gather online, the X61 should support 64-bit Windows 7, SSDs (with a 1.5GB/s SATA cap) and, unofficially, 8GB of RAM. I had become accustomed to working under 3GB in Windows XP even for development work which was brutal so the RAM looked like it would be a huge boon.

There it is! Basically the X61 has two SODIMM slots and while the manufacturer officially supports 4GB RAM total, the hardware actually supports 8GB. I used 2 of these Patriot PSD24G8002S 4GB PC2 6400 800mhz CL6 DDR2 SODIMM modules at $55/ea for a total of $110. Corsair has an equivalent VS8GSDSKIT800D2 kit for $130 but memory is more or less a commodity so I went with the cheaper chips. One of the two Patriot modules was defective and wouldn’t POST but Amazon’s awesome return customer service worked like a charm and this morning my replacement stick showed up. Technically the Thinkpad uses PC2-5300 CL5 memory but it’s difficult/impossible to find in 4GB sticks and the newer, faster memory can “slow down” to work.

The other department where I needed more zoom was the hard drive. I replaced the internal drive with the 256GB Crucial M4, the latest and greatest generation of SSDs. Even though the hardware doesn’t support the full 6GB/s SATA capability of the M4, I decided to get the fastest drive possible now, so that I could transfer it to a newer laptop down the road.

Finally, with the new hard drive I took the opportunity to move to Windows 7 64-bit. I’ve actually had 4GB of memory since I bought the Thinkpad but Windows XP could only access 3GB of it. Moving to 64-bit ensured that I could use the full 4GB immediately and 8GB later. I disabled some of the Aero features to improve graphics performance (the low score in my Windows Experience score) and reverted back to XP’s ALT+TAB behavior and I’m happy with the results.

Having used it for a few weeks now, the speed improvements are stunning. Boot time and hibernate are dramatically shorter and applications pop on the screen as soon as they launch. Interestingly, my development work doesn’t process that much differently because it’s processor-bound but the improved disk access time and throughput clearly assists all kinds of applications from creating zip files to loading PSDs in photoshop to copying large files from the network. Total spend was $115 (RAM) + $425 (256GB Crucial M4) + Windows 7 64-bit (Free from friend) and I have what feels like the latest and greatest computer in the same lightweight footprint. Success!

Side note: If you feel that 1.5GB/s SATA is really killing your day, there is an unsupported, unofficial, totally-may-screw-your-computer BIOS upgrade for 3.0GB/s SATA-II available in this thread.

PS – I use CrashPlan to backup my home computers and it made transitioning to Windows 7 easy. I’ve already restored files twice from my XP install that I had failed to migrate. At the moment I have two computers backed up in Crashplan, my X61-XP and now my X61-W7. It’s great being able to go back and get files from the old machine – highly recommended!

I decided to get nerdy and I ordered a WakeMate. It’s a bluetooth enabled wristband you wear while you sleep that talks to your android or iphone. It records when you’re awake vs. sleeping and attempts to wake you up when you will be the least groggy.

This is my movement data from last night. I’m going to monitor for awhile before I draw any conclusions but it can’t hurt to try and improve the quality of my sleep if I can’t solve it through quantity.

I had been considering outsourcing everything – move incoming email to Google Apps and use someone like SMTP.com or SendGrid for outbound but there’s a few wrinkles like mailing lists and customer-relayed email. We ultimately decided to roll a new machine but given how quickly email deliverability evolves, we needed to get up to date with the various authentication and verification technologies that help get emails into the inbox. That meant getting waist-deep in SPF, Sender-ID, DomainKeys and DKIM. (See current DKIM and SPF deployment rates – 23% and 51% globally as of this writing)

This isn’t a step-by-step guide; writing one would simply repeat what other people have already done a good job of documenting. What this is, is an overview that ties together missing pieces and endless Google searches to move from concept to execution with one full set of examples.

The Moving Pieces

If you’re new to all this, here’s how these technologies work briefly: Sender ID is basically a Microsoft version of Sender Policy Framework (SPF). If you get SPF to work, Sender ID is backwards compatible and will verify successfully. DKIM is almost the same thing to DomainKeys but it adds Author Domain Signing Practices (ADSP) as an optional component that specifies how strict you are about signing messages.

SPF and Sender ID rely on specially crafted DNS records that identify which mail servers are allowed to send mail for your domain. By contrast, DomainKeys/DKIM take pieces of your message, cryptographically hash them with a key (part of which only your server knows) and embed the signature as a header which is verified using the other half of your key (which is public) that is stored in a specially crafted DNS record for your domain or mail server. You must have the ability to create DNS TXT records or none of these will work for you. Here’s a good article with a more details on how it all works.

The idea is to eliminate any joe spammer from using an arbitrary From address in spam, phishing and other email attacks. None of these approaches are perfect but they are used by large ISPs like Hotmail, Gmail and Yahoo so if you want your email to reach those inboxes, you need to play along.

QmailToaster

Step one, set up a QmailToaster. Our current server is (older) Qmail + Vpopmail + Courier based and it has worked well so we stuck with what we know. Not to mention, Jake Vickers and the QmailToaster team have removed all of the pain of setting it up so now you just speed along to the part where it works well. Other than getting the needed dependencies on my CentOS/RHEL box, the installation was a piece of cake using the qtp-newmodel approach.

• http://wiki.qmailtoaster.com/index.php/CentOS_5_QmailToaster_Install – the CentOS/RHEL 5 Toaster install gives the quick and dirty of adding DomainKeys support
• http://wiki.qmailtoaster.com/index.php/Domainkeys – detailed directions for DomainKeys support
• http://wiki.qmailtoaster.com/index.php/How_to_Setup_DKIM_with_Qmail_Toaster – Add DKIM support with a new qmail-queue

After you install the DKIM package from above on RHEL/CentOS 5, you would see this error in your qmail logs:

@400000004d7d3bc00da74aec delivery 21: success: ould_not_find_ParserDetails.ini_in_/usr/lib/perl5/vendor_perl/5.8.8/XML/SAX/rUser_and_password_not_set,_continuing_without_authentication./<check-auth@verifier.port25.com>_96.244.219.19_accepted_message./Remote_host_said:_250_2.6.0_message_received/

Basically, something is borked in the CPAN-installed SAX package. You can fix it by pre-emptively running (thanks to centosfiles for the fix):

perl -MXML::SAX -e "XML::SAX->add_parser(q(XML::SAX::PurePerl))->save_parsers()"

At this point you have a mail server capable of handling SPF, Sender ID, DomainKeys and DKIM. Now you need to enable it in your configuration and your DNS.

SPF/Sender ID

Unlike DomainKeys and DKIM which require public/private keys and some computational effort when delivering email, SPF and Sender ID are exclusively a DNS configuration option.

• http://wiki.qmailtoaster.com/index.php/SPF – there technically isn’t anything to set up with the QmailToaster since your outbound configuration is all DNS. However, you can configure how to handle incoming email that doesn’t pass using /var/qmail/control/spfbehavior.
• Qmail SPF – The underlying implementation of SPF for qmail
• OpenSPF.org’s Record Wizard – generate an SPF record for your domain to be placed in a DNS TXT record

Once generated, take the TXT record and put it into your DNS files. If you’re using djbdns, a simple record with one mail server would look something like:

'sample.com:v=spf1 ip4:your.ip.add.ress ~all:3600

The ~all says to softfail messages that don’t verify. If you are sure you have listed all of your possible outbound MTAs, then you can set it to -all which will tell remote servers to kill emails that don’t pass.

DomainKeys/DKIM

Once installed, you enable incoming verification and outgoing signing through the tcp.smtp file stored in /etc/tcprules.d:

• http://wiki.qmailtoaster.com/index.php/Domainkeys#Outgoing – using DKSIGN for outgoing messages and DKQUEUE/DKVERIFY for incoming messages. Has a flag-by-flag breakdown of how to configure DKVERIFY for how to respond to incoming mail that passes or fails verification.
• http://wiki.qmailtoaster.com/index.php/Tcp.smtp – a complete breakdown of the tcp.smtp file that includes DKSIGN, DKVERIFY and DKQUEUE breakdown
• HOWTO define DKIM/ADSP RRs – from the “Pro DNS and BIND” book, this page does a phenomenal job of explaining the components of the DomainKeys/DKIM records with examples. Also explains selectors clearly.

For DKVERIFY, the default is “DEGIJKfh”. If you want to permanently reject incoming mail that has a DomainKey signature but fails to verify, add a “B” to the list: “BDEGIJKfh”.

Outbound

To sign an outbound message for DomainKeys/DKIM, you need to generate a public/private key pair. Part of it you keep secret and sign your outgoing messages and the other half you publish in your DNS so other mail servers can verify it’s authentic. Here’s what the docs say to do:

# cd /var/qmail/control/domainkeys
# mkdir yourdomain.com
# cd yourdomain.com
# dknewkey private > public.txt
# chmod 440 private
# cd ..
# chown -R root:vchkpw yourdomain.com

The word “private” above is going to be our selector. It’s 100% arbitrary but must be used consistently. QmailToaster defaults to the word “private”. In your DNS, you need a TXT record that looks something like:

private._domainkey.yourdomain.com:k=rsa; p=MEwwDQYJKoZIhvcNAQEBBQ . . .

The rest of the record comes out of the file we just created with dknewkey in /var/qmail/control/domainkeys/yourdomain.com/public.txt. In my last Qmail install, I used “default” for my selector, so my DNS entries look like:

default._domainkey.yourdomain.com:k=rsa; p=MEwwDQYJKoZIhvcNAQEBBQ . . .

This selector, be it “private”, “default” or something else, MUST match what you use to generate your public/private key using dknewkey and it must also match what you use in your /etc/tcprules.d/tcp.smtp rules where you specify when to sign outgoing messages:

# example record using QmailToaster defaults
127.:allow,RELAYCLIENT="",DKSIGN="/var/qmail/control/domainkeys/%/private"

# since I used 'default' as my selector, this is what my file looks like:
127.:allow,RELAYCLIENT="",DKSIGN="/var/qmail/control/domainkeys/%/default"

Crypto Warning

dknewkey creates a (relatively) short 384-bit public/private keypair. There are people who don’t think that’s good enough and they’re probably right. You can edit /usr/bin/dknewkey to change it to something more secure like 512 or (better yet) 1024 bits.

A quick recap with how this selector is used throughout your Qmail and DNS configuration:

1. Generate the public/private key: dknewkey my-selector-name > public.txt; this leaves behind a file like /var/qmail/control/domainkeys/yourdomain.com/my-selector-name.
2. Create the DNS TXT record: my-selector-name._domainkey.yourdomain.com:k=rsa; p=MEwwDQYJKoZIhvcNAQEBBQ… (using the contents of the public.txt file dknewkey creates)
3. In tcp.smtp, use a DKSIGN environment variable: DKSIGN=”/var/qmail/control/domainkeys/%/my-selector-name”

Testing

Once you have it set up and your DNS has propagated, there are a number of online services and email reflectors that will verify your configuration and report back to you:

Web Tools

• SourceForge DomainKeys Policy Checker
• Scott Kitterman’s SPF record checker – test your SPF record from the web
• DKIM DNS Record Wizard – based on RFC 4871, helps construct the TXT record for your DNS for DKIM signing
• SendMail ADSP wizard and DKIM verifier – helps build an (optional) ADSP TXT record and can check your DKIM DNS entries

Email Reflectors

Unlike the above services which try to see if things look OK, these are email addresses you can send a test message to that will actually tell you how your email performed:

• check-auth@verifier.port25.com – the port25 reflector sends you an email report with a summary and breakdown by type. This is the best one in my opinion.
• spf-test@openspf.org – this message will be rejected but the rejection will say what happened to the SPF test. You must tail the logs (like /var/log/qmail/smtp/current) to see the results.
• autorespond+dkim@dk.elandsys.com – Eland Systems offers a DKIM reflector along with some notes
• MyIpTest.com Tester – tests DK, DKIM and SPF. Web page gives you a random email address to send to and then you can load your results after sending a test message.
• http://www.brandonchecketts.com/emailtest.php – similar to above, send an email to a random address provided on the web page and then you can check results.

Port25’s reflector report should look like this when everything is working:

Summary of Results
==========================================================
SPF check: pass
DomainKeys check: pass
DKIM check: pass
Sender-ID check: pass
SpamAssassin check: ham

Microsoft will let you “register” your Sender ID settings with them. Not sure how important this is, but it can’t hurt to let them know at https://support.msn.com/eform.aspx?productKey=senderid&page=support_senderid_options_form_byemail.

Email Services

Better than a reflector is to see how a real mail service will treat your message. Once you think you’re configured correctly, try sending an email to Gmail and Yahoo. Then you can view the headers for each to see how your SPF and DK records were interpreted.

Gmail:

Yahoo:

Final Thoughts

Putting it all together, here’s how my setup looks (using the selector ‘default’):

Public/private key pairs on file system

[root@mail domainkeys]# ls -al /var/qmail/control/domainkeys/sample.com/
total 32
drwxr-xr-x 2 qmailq root  4096 Mar 13 13:46 .
drwxr-xr-x 7 root   qmail 4096 Mar 13 13:46 ..
-r--r----- 1 qmailq root   396 Mar 13 13:46 default
-rw-r--r-- 1 qmailq root   142 Mar 13 13:46 public.txt

DKIM signconf.xml

On the file system in /var/qmail/control/dkim/signconf.xml:

<dkimsign>
  <global algorithm="rsa-sha1" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1">
    <types id="dkim" />
  </global>
</dkimsign>

You could override the use of /var/qmail/control/me or change the selector from ‘dkim1′ if needed.

Alternative note: It is also possible to sign your DomainKeys using the DKIM package. You can change signconf.xml to have a per-domain record with DK and then abandon DKSIGN altogether (this is the route I’ve gone):

<sample.com domain="sample.com" selector="default">
  <types id="dkim" />
  <types id="domainkey" method="nofws" />
</sample.com>

tcp.smtp

# localhost relaying
127.:allow,RELAYCLIENT="",QMAILQUEUE="/var/qmail/bin/simscan",DKVERIFY="DEGIJKfh",DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKSIGN="/var/qmail/control/domainkeys/%/default"
# external web box
69.36.226.12:allow,RELAYCLIENT="",DKSIGN="/var/qmail/control/domainkeys/%/default"
# everyone else that connects gets the full cavity check
:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="3",QMAILQUEUE="/var/qmail/bin/simscan",DKVERIFY="DEGIJKfh",DKQUEUE="/var/qmail/bin/qmail-queue.orig",DKSIGN="/var/qmail/control/domainkeys/%/default"

DNS TXT Records

Using djbdns:

'sample.com:v=spf1 ip4\07269.36.226.12 include\072emailcenterpro.com ~all:3600
'_domainkey.sample.com.:o=-;:3600
'default._domainkey.sample.com.:k=rsa; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAPBdKl9mx3KIjLwGfq83LNzUN4aDWc4t3PVTnc0d+duI9HVD+UG+i1suifV6obDzo4ugHji6EH+zei39Cch9vTXcpVWkaFCEmVu0AXjY/98WIjYb5Hh5+SYQFyQkz0Mq0wIDAQAB;:3600
'dkim1._domainkey.mail.sample.com.:v=DKIM1; k=rsa; p=MEwwDQYJKoZIhvcNAQEBBQADOwAwOAIxAK+vhWHoPv+3DhM1u3MaHk7AayBa+CdNnjPHhg3/3Nv7hEIYUbOfKSUqNxDtjJkgcQIDAQAB;:3600
'_adsp._domainkey.mail.sample.com:dkim=all:3600
'_adsp._domainkey.sample.com:dkim=all:3600

First line is my SPF/Sender ID record. It also uses an include to allow a third party (in this case, EmailCenterPro) to send mail on our behalf.

The second line says that we sign all outgoing messages with DomainKeys/DKIM (o=-).

Third line is for DomainKeys using our selector ‘default’ (which correspondingly shows up in tcp.smtp in DKSIGN and on the filesystem as /var/qmail/control/domainkeys/sample.com/default).

The fourth line is the DKIM record which uses the global.key and public.txt stored in /var/qmail/control/dkim. Why is it dkim1._domainkey? Because that’s the arbitrary selector specified in the signconf.xml file as listed above. Again, totally arbitrary, could be ‘private’ or ‘default’ or something else, but best to have it different from your DomainKeys. You might also notice that it is mail.sample.com instead of sample.com? By default it must match /var/qmail/control/me file because that’s how the message will be signed by the QmailToaster DKIM package.

The fifth and sixth line are ADSP records that say we sign all outbound messages with DKIM. Some hosts appear to be checking for it without the mail subdomain so I’m currently running both. I don’t think it should be strictly required but at this time seems to cover the bases.

The 3600 on every line is the TTL, meaning these records expire after 1 hour.

Quarantining Spam in IMAP Folder

Before upgrading, we used DSPAM as our spam filter of choice. In a word, it’s awesome. It quarantined mail so effectively that I eventually stopped checking the quarantine until it became so large I could no longer view or delete it from the web interface. The secret sauce in my setup, which involves Mozilla Thunderbird was to use Thunderbird’s built-in “Junk” folder as a feedback loop for DSPAM. For some reason, Thunderbird is really good at catching certain kinds of spam that DSPAM was not and, if a spam did get through, I can select it and press “J” which trains Thunderbird and moves the message to my Junk folder. The server processed those Junk folders nightly, feeding them to DSPAM to further increase its accuracy.

I like not downloading all of the assumed junk mail to my phone or, worse yet, on a slow net connection while traveling somewhere around the world. Unfortunately, QmailToaster’s SpamAssassin approach is to flag but leave it in your inbox. No bueno. Luckily we can use some of the software already installed and a very short script to replicate the previous behavior.

Create generic mailfilter

If you accept users will use a “Junk” folder (or “Spam” or whatever you want to call it), then you can create a single maildrop mailfilter script in ~vpopmail/etc/mailfilter-to-spam:

SHELL="/bin/bash"
import EXT
import HOST

VUSER=`echo ${EXT%-*}`
export VUSER
USERHOME=`/mail/bin/vuserinfo -d $VUSER@$HOST`
export USERHOME

logfile "/var/log/maildrop/mailfilter.log"

# Test for the existance of the Junk directory.  Create it if it doesn't exist
#VERBOSE=9
#log "testing for $VUSER@$HOST in $USERHOME"

if ( /^X-Spam-Status: Yes/ )
{
        `test -d $USERHOME/Maildir/.Junk`

        if ( $RETURNCODE == 1 )
        {
            `/usr/bin/maildirmake -f Junk $USERHOME/Maildir`
            `echo INBOX.Junk >> $USERHOME/Maildir/courierimapsubscribed`
        }

        to "$USERHOME/Maildir/.Junk"
}
else
{
        to "$USERHOME/Maildir/"
}

Now create a ~vpopmail/domains/sample.com/username/.qmail file for those users who want their spam quarantined in a “Junk” folder rather than just tagged:

|preline /usr/bin/maildrop ~vpopmail/etc/mailfilter-to-spam

Done! All messages that meet your SpamAssassin minimum score (default of 5.0) will be quarantined in the “Junk” folder for review from SquirrelMail or your IMAP client. You can process these folders using a script like the following (warning, not tested in production yet!):

#!/bin/bash
cd ~vpopmail/domains

# find all Junk folders
for ii in `find . -type d -name '.Junk'`; do

  # find all mail 5 days or older
  for jj in `find $ii/cur/ -type f -mtime +4`; do

    # learn from it and delete it
    echo "processing $jj"
    /usr/bin/sa-learn --spam --no-sync $jj
    rm -f $jj

  done;

done;

# now synchronize the overall SA database
/usr/bin/sa-learn --sync

The argument “-mtime +4″ says look for files that are 5 days or older. You could adjust that to +1 for 48 hours or “-mmin +60″ for 60 minutes or older depending on your policies. Schedule this to run as a cronjob nightly and you’ll be provided an ongoing set of spam to learn from.

Hope these links and notes help someone else in the future!

Homemade Cool Shirt System

Usually after about 20 minutes in the car on a hot day, I start making mistakes. Nothing horrible, but I know that it’s fatigue setting in that makes my brain work less well. Driving a Miata is a physical experience, but less physical than doing something really physical like playing basketball. So the fatigue isn’t the same kind of fatigue as what you’d feel after running 5 miles, instead it’s a mental fatigue that is mostly due to overheating.

With a race at Thunderhill in July approaching, Derek and I decided to do something about the heat. A typical summer afternoon in Willows can be 105 degrees or more, so of any race this season, that one was likely to be the hottest.

We looked at the existing cool shirt systems out there. All look very well made and definitely have the kinks worked out. However, there were two big issues with them from my perspective: they’re expensive, and they look like they’d be easy to make. Time for some D.I.Y.!

The overarching concept with the shirt is that cold water is circulated in a lot of tubes attached to the shirt. A small cooler serves to contain icewater. The water is forced out the cooler using a bilge pump, through tubing into the shirt where it pulls heat out of your torso, flows out of the shirt, and is dumped back into the cooler where it mixes again with the icewater. An important part of the system is a way to quickly connect and disconnect the shirt from the cooler — this is accomplished with dry-break fittings normally used in medical and industrial applications.

Parts

8+ Quart Cooler – Make sure the one you pick will fit where you want to mount it. Measure the available space, and get the biggest cooler that will fit. We got ours from Target for $10 or so. In hindsight, we TOTALLY should have gone with this one, since it looks to have a WAY better seal and the one we got leaks unless we cover the whole top in racer’s tape.

Pump – I got a 600 GPH Bilge Pump from West Marine for $25. The ones at OSH take AC power so those were out. The one I bought takes 12VDC power, so wiring it up to the car is easy.

To get the water in and out of the cooler, we used 1/2″ diameter, 3″ long nipples (pipe threaded on both ends). We may have been able to use 2″ long ones.

Fittings And Such – We found all of this in the plumbing aisle at the local hardware store (NOT HOME DEPOT).

- (1) 3/4″ female to 1/2″ female adapter

- (2) 1/2″ diameter, 3″ long nipples (pipe threaded on both ends). We may have gotten away with 2″ long ones.

- (4) Thin nuts, 1/2″ coarse thread. The nuts need to be able to thread onto the nipples.

- (16) washers that can slip over the nipples.

- (2) 1/2″ female to 1/4″ compression fittings with inserts to fit in 0.170″ ID tubing

- Roll of teflon tape

Tubing

- 50 feet of 1/4″ OD vinyl tubing. This is what goes in the shirt.

- 10 feet of 1/4″ OD polyethylene tubing. Typically used as the cold water supply for refrigerators. This is what goes from the cooler to the shirt. It needs to be different tubing because you use a compression fitting on the cooler end of the tubing.

- 5 feet of foam pipe insulation. 1/2″ inside diameter works fine.

Quick Disconnects

- (2) Sockets – McMaster-Carr part number 5923K31 – $8 each or so

- (2) Inserts – McMaster-Carr part number 5923K61 – $7 each or so

Optionally, get an extra insert so that you can connect it to the ouput line from the cooler and run the pump to drain the water from cooler without throwing away ice if you’re going to be running closely spaced track sessions.

From Brian…

Btw, I ordered the real FAST Carbon-X shirt so if you ever want to build the cooler again, you need to use the PLC line of couplers (metal thumb clasp) rather than APC line (plastic thumb clasp). The male end on the FAST shirts requires the thin metal connection. Luckily McMaster-Carr sells them also. It’s McMaster-Carr #5012K662 for $9.93/ea. The general parts number btw is Colder P/N #PLCD13004

Mounting – keeping the cooler in position

- (3) pieces of 90-degree aluminum, 1.5″ on a side, 6″ long

- (6) 1/4″ Bolts and nylock nuts

- Nylon strap with ratcheting tightening mechanism

Shirt – Get a TIGHT shirt. If you wear a Large, get a medium. It needs to be skin tight.

Fabric – An old cotton pillowcase is great source of the fabric. You sew the fabric onto the shirt to hold the tubing in place. Details to follow.

Silicone – A small tube of GE Silicone II works well.

Putting it Together

Cooler

Start by setting the pump in the cooler. Put the outlet against one of the sides of the cooler and mark its location. Find where the center of that circle is and drill a hole just big enough for the nipple to slip through. Drill another hole the same size toward the top of the cooler for the return line.

Spin one of the thin nuts onto one end of one of the nipples. Then, wrap that end with teflon tape and thread the 3/4″ to 1/2″ adapter onto it. Tighten. Slip one of the washers onto the assembly so it rests against the nut and goop up the washer on the side facing away from the adapter with silicone. Slip it through the lower hole in the cooler from the inside to the outside. Put the pump in the cooler, put teflon tape on the 3/4″ threads on the pump, and thread the nipple and adapter assembly onto the pump. Tighten. Goop up the hole on the outside of the cooler, and stack up enough washers on the nipple so that you can tighten one of the nuts onto the nipple’s threads all the way to the bottom of the threads. The goal is to maximize the threads exposed on the nipple after you tighten the nut.

Slip the other nipple through the top hole in the cooler and goop up around it inside and out with silicone. Don’t be shy. Use one or more washers on the inside and out. Stack up the washers just enough so that you can tighten the nuts on the inside and out all the way down — so the nut is threaded as far down as the threads on the nipples go. I used all 16 washers for this.

So at this point you should have both nipples mounted firmly in the cooler, with the pump attached to the lower nipple. We used some short sheetmetal screws to attach the pump to the cooler floor. We drilled holes first and squeezed silicone into the holes so that the water would not leak through.

Drill a small hole through the side of the cooler near the top for the pump’s wires to pass through. Goop up around the hole with silicone so this is not a source for leaks.

Put teflon tape around the exposed threads on the nipples on the outside of the cooler and thread on the 1/2″ to 1/4″ compression fittings. Tighten. Cut the polyethylene hose into equal lengths, slip in the compression insert to the tubing, and attach to the compression fittings. Wait to install the dry-break connectors until you get everything together and know exactly how long you want the polyethylene tubing to be.

Shirt

Hopefully you or someone you know has a sewing machine and is not afraid to use it! The concept here is that you will need to sew two panels onto the shirt — one on the front and one on the back. You will only use vertical stitching on the panel since the tubing is going to thread up and down between the panel and shirt. The tubing enters the front of the shirt one one side, goes up and down through the “channels” in the panel, hooks around to the back, does the serpentine thing again, and ends up next to the inlet tubing.

Here are diagrams of the front and back. The grey shaded area is the panel you cut out of pillowcase or sheet material. The red lines are the stitching, and the blue lines are the clear vinyl tubes.

Start out by putting on the shirt (TIGHT!) and your HANS and sit in a chair. Mark on the shirt (water soluble markers from my daughter’s art box worked great) where the HANS lays. Also mark 3″ or so above where lap belt falls – that’ll be the bottom of the panels.

Cut out the panels. Center them on the shirt horizontally, and line them up with the line you drew that’s 3″ above the lap belt. Sew up the sides of the panels, then sew the channels that will guide the tubing. The channels should be 1.5″ wide or so — but make sure there is an even number of them so the tubing works out. I used 12 channels on both the front and back.

Thread the vinyl tubing through the shirt, being careful to not twist it in the shirt — it’s not a huge deal, but it will not lay flat if there are twists. Leave 5 feet or so of extra tubing at the beginning so you can have flexibility in where things go at the end. The tubing should enter and leave the shirt on the same side, e.g. in the front on the left, and out the back on the left.

Finish Up

Cool! So now put the shirt on and get in the car. Play with different positions of the tubing to figure out what’s best for you. Don’t forget that the shirt tubing needs to get outside your firesuit somehow — I put mine through the lower zipper opening. Some people will cut slits in their pockets, which seems like an OK idea too.

Once you figure out where everything should go, trim the tubing and hook up the dry-break fittings. Also figure out where you want the cooler to mount in the car. Use the aluminum and nuts and bolts to locate it. Figure out how to mount the nylon ratcheting strap to keep everything tight. I used eyebolts that were already there for the passenger side lap belt.

The nice thing about this mounting setup is that to remove the cooler to dump it, all you have to do is loosen the nylon strap and pull the cooler out. No tools required.

Wire up the pump, ideally with a fused and switched circuit. You don’t want it on all the time, and if the pump burns up you don’t want to take down the car’s electronics. I made a power distribution block and fuse block that sits in the center console and used a metal toggle switch for the pump circuit.

Aftermath

I was excited to give the system a try at the Thunderhill race. The forecast was for 95 degree temperatures. In the first practice session, I hooked up the system and powered it on at the 3-minute board on grid. To my dismay, I didn’t feel or see any flow in the system. After all this work, I was really bummed out. I resolved to work out the system after this practice session. So I went out not expecting anything. Well in Turn 6 on the first lap, the cold goodness started flowing! OH IT WAS SO NICE!

I’d fill the cooler with ice, then pour in just enough water to run the system. This gives maximum cooling for the longest time, since the warmer water returning from the shirt will start melting the ice right away. If it’s too cold, run less ice and more water in the cooler, though I don’t see this as a possibility unless it’s really cold outside. After the session, I’d either remove the cooler from the car and dump it, or attach an extra insert to the line coming from the pump and run it to pump out most of the water, add more ice, then go out again.

It worked great through the whole weekend. Through the entire 30 minute races I felt sharp, and not once did I wish for the end of the race. Where I’m usually totally beat at the end of a session or race, I was not fatigued a bit.

I’m sure the $400 systems would work better to some degree, but for 1/4 the cost and a day or so of work, I’m satisfied.

Editor’s note: I followed Zack’s advice and built the cooler but bought the real FAST Carbon-X shirt from SafeRacer. I wanted Carbon-X for the comfort and a second layer of fire protection but it also looked like it was sewn really well. In retrospect this was definitely the right move. The shirt fits well, the tubes are awesomely sewn on and there is no goofy bulging. The shirt is pricey but it’s the last piece actually touching your body so I feel the price was worth it. I used it just yesterday in 60F weather at Willow Springs and it was nice! Don’t underestimate how much heat you generate trying to hustle your car around.

Here is a photo of my parts laid out. I used a combination of PVC and brass fittings from Home Depot in conjunction with the cooler and pump I noted above. System has traveled across the country for 3 seasons and is still working like a champ.

However, if you first select an arbitrary amount of text, your reply will only quote that text.

If you’re like me and you carefully whittle down your email responses to only include the relevant text, this is a neat shortcut that requires just a quick drag of the mouse and your response is immediately ready for you to start typing.

Nice job Mozilla! Here is the documentation on their site which I found after I stumbled upon the feature.

There are several ways people add ballast. Lead is the ideal solution but nothing was available in this quantity locally and I would have had to smelt and pour my own weights which was unappealing. Many people use plate weights from a sporting goods store but stacking enough 45# plates was going to be unwieldy and I didn’t like the options for bolting them in place. Some people on SpecMiata.com have built systems that attach to the seat mount points which is safe and clean but technically not permitted by the rules. Finally, there are some ready-made solutions like this Rennen Metal option but the shipping was going to cost more than the weight!

Ultimately I decided I wanted a GCR-compliant solution that I could obtain locally and would handle weight up to 175# safely in the event of an incident. I designed a steel plate solution that requires the removal of the rear seat mounts on the passenger side and consumes the ~16″x17″ space left rearward of the front seat rail. At this size built from mild steel (40.84#/ft² @ 1″ thick), the total weight can be tuned through combining plates of various thicknesses:

I was already concerned about the safety of having that much weight attached to the floor pan so working with guidance from my roll cage fabricator TC Design in Milpitas, CA, I designed extra large 1/4″ thick backup plates that run 4″x20″ along the frame rail using a total of 4 x 5/8″ Grade 8 bolts to keep everything in place. Each backup plate adds approximately 4.5# to the weight of the car. The inboard side runs next to the brake and fuel lines from just in front of the rear subframe brace towards the front of the car. Washers and nylock nuts complete the install. The goal was to provide as much surface area as possible to resist pulling through the floor pan in case of a serious crash.

Installed in the photo above are 1 x 1″ base plate, 9 x 1/8″ plates and 2 backing plates for a total of 171.5#. With one gallon of gas, my car runs just a few pounds above the 2450# required minimum weight. I have since removed a couple of the 1/8″ plates in order to add a Cool Suit system so I maintain the same total and corner weights.

If you can’t find someone local to cut the steel for you, I had an excellent experience with Bayshore Metals in San Francisco. Steve (baymetals@sbcglobal.net) did a great job not only with the sales process but also in waiting for me to pick up the ballast when I was running late en route to our first race weekend.

Disclaimer: the above experience and downloadable template are a guide and come with no warranty of any kind. Consult with an expert and make your own judgment before using this information. You alone are responsible for your safety!