Technology

So now it comes out that India's military strong-armed Nokia, RIM (Blackberry) and Apple into providing back-door access into their cellular phones using what sounds like some sort of rootkit application similar to Carrier IQ's rootkit.  The explicit purpose?  Unlike the supposedly benign purpose of providing cellular providers with helpful data to assist customers who are having technical difficulty, as claimed by Carrier IQ (right, sure), RINOA SUR is meant to spy on India's citizens.

So combine that with the increasing pressure to pass SOPA and you've got a nice recipe for complete takeover of all systems, whether they be on tablets, cellular phones, notebooks or desktop computers.  Clearly, Richard Stallman was correct from the beginning.

Now when I say takeover, I don't mean that you won't be able to use your computer.  I mean that you won't be able to use your computer without everything you do being recorded, and possibly interfered with.  I mean that what you do on your computer could possibly be used against you, and if you think you have nothing to hide, that won't protect you. I mean that someone else could use your computer to frame you, if they didn't like what you say or what you stand for.

A rootkit with backdoor access provides more than just a way to snoop.

Why do I have CyanogenMod installed on my Motorola Droid?  Because I don't trust Motorola or my carrier to provide me with a phone OS that has not been compromised.  Why does my personal laptop only have Ubuntu LINUX installed, and no other operating system?  Because I don't trust Acer or Microsoft to have provided me with a laptop and Windows operating system that are 100% secure from intrusion.  I don't even have the original hard drive installed.

Call me paranoid if you will.  They've been calling Stallman paranoid for years.  But the fact remains that commercial interests drive closed operating systems and software, and because there's no way for the code to be inspected by a 3rd party, there's no way to find out immediately whether it's been compromised, intentionally or otherwise.  If making money from software sales is the provider's primary goal, they will sell out their customers in order to sell their product, every time.  Prove me wrong.  I dare you.

Redhat LINUX generates money via Enterprise support contracts.  The software is free.  It is open source and can be inspected by anyone.  The likelihood that it, or any other distribution of LINUX, contains a hidden backdoor rootkit or some other access for military, government or law enforcement officials to snoop, compromise or take control of computers or servers upon which it has been installed is next to nil. I won't say it's impossible, but I will say it's highly unlikely due to the fact that the code can be independantly verified by anyone.  If it did have such a backdoor, it would be discovered almost immediately, as compared to the seven years it took for the RINOA SUR agreement to come to light.

I call bullshit on all of this.  Apple, RIM, Nokia, and anyone else who pulls this sort of crap to generate sales - fuck you.

To anyone else who wants to prevent this from happening - now is the time to start looking at making the switch to LINUX.  If they've been doing this to cell phones for the past seven years or more, what have they been doing with your Apple or Windows computers?

So I've been running Cyanogenmod 7.1 on my Motorola Droid (1st series) and it's been acting strangely.  It sometimes spontaneously reboots itself, it sometimes can't read the SD card, occasionally when people call the phone keeps ringing even after I answer, and it cannot restart music playback if the music player is interrupted by a call or another app.  So I'm downgrading back to 6.1.2, the stable release based on Froyo, which ran a lot better on this phone.  Here are the steps necessary to do so.

(I assume your phone has already been rooted if you have Cyanogenmod 7.1 already installed)

1. Install Titanium Backup and make a complete backup of all apps + data.
2. Install the latest version of ClockworkMod Rom Manager if it is not already installed.
3. I strongly recommend recovering from a backup image to the original Droid OS you started with, which you should have been prompted to do if you were using ClockworkMod Rom Manager to install Cyanogenmod 7.1 in the first place.  DO NOT DOWNGRADE YOUR IMAGE FROM 7.1 to 6.1.2 DIRECTLY or you risk making your phone unbootable.  Please pay attention, I am repeating this for your benefit based on personal experience, downgrading directly from Cyanogenmod 7.1 to 6.1.2 will BRICK your phone and you will need a variety of tools and a computer with Windows installed (why this is necessary when dealing with a LINUX based OS is beyond me, but sadly it's true) in order to get it working again.
4. After the recovery has finished and you have booted back into your phone's stock OS, upgrade ClockworkMod Rom Manager to the latest version (this will be necessary).
5. Use the "Fix Permissions" option in ClockworkMod Rom Manager and restart your Droid when it is finished.  I advise powering the Droid off and removing the battery for five seconds to establish a clean boot before the next step.
6. Open ClockworkMod Rom Manager again after the phone restarts, and select Flash ClockworkMod Recovery.
7. Once this is completed, you may select Download ROM and choose Cyanogenmod, selecting version 6.1.2 - I recommend keeping the ADW launcher option and selecting install Google Apps.
8. Let the phone do its thing - upon reboot you will want to reinstall Titanium Backup to recover your apps and data. (Note: do not allow Titanium Backup to overwrite the data on your built-in system apps or they may stop working, which will require you to go back to step 4)
9. Just to be on the safe side you may want to use ClockworkMod ROM Manager to "Fix permissions" one last time after everything has been restored.
10. Enjoy your stabilized Motorola Droid!

One congruency that I can assume exists across all timelines would be the Georgia Guidestones.  These mysterious stones appeared in Elbert County, Geogia, upon the request of a mysterious uknown person by the apparent pseudonym of R.C. Christian.

1. Maintain humanity under 500,000,000 in perpetual balance with nature.
2. Guide reproduction wisely — improving fitness and diversity.
3. Unite humanity with a living new language.
4. Rule passion — faith — tradition — and all things with tempered reason.
5. Protect people and nations with fair laws and just courts.
6. Let all nations rule internally resolving external disputes in a world court.
7. Avoid petty laws and useless officials.
8. Balance personal rights with social duties.
9. Prize truth — beauty — love — seeking harmony with the infinite.
10. Be not a cancer on the earth — Leave room for nature — Leave room for nature.

Assuming I were a time traveller and wished to avoid repeating my mistakes, yet I was unable to pass the message to the source of the problem, because that source was far into the future, this is the best possible idea I can think of - create a monument that will hopefully survive intact to reach the future in order to warn time travellers of their folly.

I used to sell and promote Samsung CRT monitors when I worked for a computer repair shop in New Orleans.  The brightness and quality of the screen was equal to anything sold by Sony at the time, and also significantly less expensive.  There were even cheaper brands out there, to be sure (cough, Viewsonic, cough, cough) but we were dedicated to carrying high quality, affordable and reliable computer equipment at that time, so to me it made sense to recommend that the customer spend a little more money in order to be better satisfied.

Fast forward to 2008 when I assembled my custom computer, Lain, I purchased a Samsung 22" monitor to go with it, believing (at the time) that I was making a wise investment by spending a bit more than I would for say, an Acer screen of the same size.

Three years and four months later and I get a phone call on my way home from work.  It goes something like this:

Brighid - "I think there's something wrong with your monitor, you'll need to check it when you get home, it keeps shutting off."

Me - "That doesn't sound good."

Brighid - "The kids were playing games on it all morning, but when they were done I got on Facebook and that's when it stopped working."

Me - "Okay, I'll check it out when I get home."

Brighid - "Isn't there some button I could press to get it working?  When I turn it off and on it says Analog, then Digital.  Which one is it supposed to be?"

Me - "It's supposed to be digital.  I'm pretty sure there's a button you can press to make it switch between analog and digital."

Brighid - "Which button is it?"

Me - "I don't remember - all monitors are not alike - it should be labeled there somewhere though under the button.  But it should automatically select digital as it turns on and scans available connections, so if it's not doing that and going to a black screen that means there's a problem somewhere."

Brighid - "I don't understand why it would stop working like that, it was fine all morning."

Me - "Right, well, I'll probably need to check it out when I get home, it sounds like something's gone bad."

Brighid - "Don't say that, I'm sure if I just hit the right button it will come back on again.  It keeps showing a picture just fine."

Me - "I thought you said it was a black screen with no picture."

Brighid - "Yes, but when I turn it on it shows the picture fine for about a second, then it goes to a black screen."

Me - "Oooh...that means the monitor is probably dead."

Brighid - "This nice monitor that you spent extra money on?  We haven't had it that long.  You must be wrong."

Me - "No, we have another LCD monitor that did the exact same thing, and it's an indication of an internal defect."

Brighid - "Stop being so negative, I'm sure if you just tell me which buttons I need to press it will be fine."

Me - "I've been fixing computers for over a decade, so I can say with 95% certainty that the monitor is dead and needs to be replaced."

Brighid - "Why do you have to be so negative?"

And so on, and so forth, for several more minutes until I finally got home and could smell the odor of burnt electronics.  My wife, I love her to pieces, admitted that I was right (I don't know how many times she's done that but I'm pretty sure it's less than five).

Luckily we had a spare 19" LCD monitor handy so I swapped the screens out, then got on Samsung's website to see if there was any hope of warranty.  On their site they recommend registering their product to obtain additional support and an extended warranty, so I bit the bullet after determining there was no quick way to verify warranty and submitted the necessary information to register their product.

I was then told by the website that the serial number was not valid.  I checked and rechecked everything I had entered in, I verified the information on the box (yes I still have the box) against the serial number sticker on the back of the screen, and tried a few more times just to be sure.  Noting that Samsung's official monitor warranty period is 36 months from the date of purchase (which is pretty much the standard of all monitor manufacturers these days), I gave up at this point.

This is not the first time Samsung has annoyed me - the first was upon receiving the 300GB Samsung SATA hard drive to install into Lain, I discovered that unlike most hard drive manufacturers such as Western Digital or Seagate, Samsung defers warranty to the reseller.  This is a major failure on Samsung's part because I am used to every other hard drive manufacturer I have ever dealt with offering a three year warranty.  Newegg, where I purchased the Samsung hard drive, only offers a one year warranty for hard drives.  I decided to keep it, although in hindsight I probably should have immediately exchanged the hard drive for a Western Digital model instead, even though it is still working.

So here we are, with a hard drive that went out of warranty two years earlier than it should have by other manufacturers' standards, and a monitor that failed four months after its warranty expired, when I spent extra on it and it should have lasted at least a couple more years, if it was really the level of quality that I expected.  I fully understand that nothing in the tech world is 100%, but it is extremely unlikely that I will ever purchase another product made by Samsung.

[End Rant]

I've explained in the past why I prefer AMD products to Intel and nVidia, so we'll skip past all of that.  Being a big fan of LINUX, I reached the point of dumping Windows entirely a few months ago, which has the side effect of requiring me to go through some hoops to get things working in LINUX.  Consequently, I rather appreciate it when AMD also goes through some hoops on my behalf.

I recently upgraded Lain with a Sapphire Radeon HD 5670 1GB PCI-Express graphics accellerator, which is built on the GPU manufactured and distributed by AMD.  AMD also provides the proprietary LINUX Catalyst drivers for this and other Radeon cards, and releases updated drivers on a monthly basis.  AMD is simultaneously working with the Open Source community on the development of non-proprietary drivers as well (unlike nVidia), but they are not quite ready for video game use, so for the time being I will continue using their proprietary driver releases.

Installation of the card was painless - the same drivers that were installed for my Sapphire Radeon HD 2600 XT 256MB PCI-Express graphics accellerator also supported this new card, and Ubuntu booted up flawlessly.  The first thing I tested out was Star Trek Online, which had been suffering from performance issues upon my transition to LINUX with my older graphics card, and this is where I ran into my first (major) snag.  All animated 3d character models were invisible - which meant that while I could clearly see the environment, physical objects in the environment, starships, and even objects held by NPCs such as tricorders, the NPCs and the avatars of other players were not visible - aside from their shadows.

I found a tip on the LINUX support thread in the Star Trek Online forums that mentioned disabling GLSL would help resolve that problem.  Because I used Play on LINUX to install Star Trek Online, this was relatively simple to disable - I selected the game, clicked edit options, picked advanced options, and then changed UseGLSL from Enabled to Disabled.

This fix worked, making the previously invisible character models visible again, but had the undesirable side effect of disabling reflections and various lighting effects, which reduced the quality of the textures in the game to almost the equivalent of "Low Graphics" mode.  I fiddled with various configurations and settings trying to get around this issue, but ultimately gave up.  I was now disappointed - my upgrade purchase had failed to provide the desired upgrade - speed was improved, but graphics were worse.

At this point I decided to turn to the bug reporting for ATI/AMD LINUX graphics drivers and found that I was not the only one experiencing these sort of issues with a Radeon HD 5000 series graphics accellerator in more than a few video games.  I submitted a supporting comment that this was an existing issue and waited, hoping that AMD would respond with a fix before I was no longer able to return the graphics card to Newegg - my preferred tech vendor.  I also submitted this information to the Ubuntu forum thread that was discussing the same issue, and then waited patiently.

Last Friday morning, an update was posted by one of the AMD LINUX driver development team, stating, "We have fixed the issue, the fix will be included in future release."  I am now a very happy camper.

Working in the tech industry has made me a bit jaded, and I have come to expect customer support of any kind to not be at all helpful.  This attitude has driven my do-it-yourself attitude when it comes to computer related issues, but this was one issue that I had absolutely no control over.  It is deeply satisfying to know that the AMD LINUX Catalyst driver developers take the gaming community seriously, and are willing to work hard to address issues in a matter of a few weeks, not months.  Many kudos are deserved by the AMD LINUX Catalyst driver development team, and my thanks as well.

I'm really not keen on writing this up, but considering the number of hours invested in figuring this out I thought that a) it would really suck if I had to figure out how to do it again and b) perhaps someone else out there might find it useful, thus improving my internet karma.  After all, it seems like there are a few people who have similar issues based on the searches I performed, although as it turned out, what I really needed to do was read the manual.

The main reason I'm not keen on writing this up is because there was a lot of suffering involved, and residual trauma.  This project is definitely not for the faint of heart.  It may involve days, weeks and possibly months of trial and error.  It could result in rectal bleeding.  I made up that last part, because I want to make sure you are paying attention.  I will not be held responsible for those who wish to follow me down this particular rabbit hole because it's filled with barbed wire, broken glass and landmines.

Okay, now that the proper mood of fear and tension has been established, let me start by strongly recommending that you check out the official Ubuntu documentation for setting up an email server (and by checking out I mean read thoroughly, then reread a few more times).  I am currently using a Postfix + Dovecot combination, but for the purposes of my personal sanity this article will be primarily focused on the Postfix section of configuration.  Potentially it is possible to add in spam filtering and antivirus checking, but before you delve down those paths you need to make sure the basic functionality of sending and receiving is working, otherwise you will drive yourself insane trying to troubleshoot problems.

Also, if you are hosting anything that would be considered an official production server, do yourself a favor and get a goddamned fixed IP address.  I'm running a test/play/hobby server, and I have a bit of a God complex when it comes to wanting complete control over my hosted websites and email, but I'm also a bit of a budget hound, consequently I do not have a fixed IP address or adequate bandwidth.  That presents special problems to my setup that are not normal in the email & web server realm - so if you are running a web server on a dedicated T1 or T3 internet backbone, you probably shouldn't be reading this article for support, or at least not applying it verbatim.

If you're a techy do-it-yourself kind of person, then this might just be what you are looking for.  This documentation assumes you have managed to get Dovecot + Postfix working in such a fashion so that your server receives mail and delivers it to the appropriate user account correctly, but fails to send messages created by those same accounts.  This documentation also assumes you have Ubuntu Lucid Lynx 10.04 LTS installed as the OS for your mail server.

Please bear in mind that I love Ubuntu, and normally their documentation is really helpful.  However, in the case of Postfix configuration, their support documents are a bit on the sparse side and seem to have been written for someone who is already well versed in the way Postfix works and the nature of how e-mail works in general, which can lead to a lot of confusion for someone who's learning as they go.

For example, on the Ubuntu howto page that walks you through setting up your Postfix /etc/postfix/main.cf file, no explanation is offered for why some commands begin with smtp and others begin with smtpd.  Let quickly me clarify for you the difference - smtp options are for when your server is behaving like a client and trying to authenticate to another server (in my case a relayhost), while the smtpd options are for when your server is behaving as the SMPT server while a client computer is trying to authenticate to it in order to send mail.  I will try explain this in further detail below.

To start with, Dynamic DNS (for those of you not in the know) is a way to get around the typical requirement of a fixed IP address to make it easier for users on the internet to find your website, email address, FTP server, etc.  To get very basic - DNS is short for Domain Name System - a way to convert the numeric address of computers connected to the internet into easy to remember words such as "www.google.com" or "www.slashdot.org".  A DNS server of some kind somewhere, accessed by your computer and also connected to the internet, translates that easy-to-remember word or series of words into the numbers needed to locate the computer in question.  If you have basic DSL or Cable high speed internet, however, you are typically using a Dynamic DNS address for your connection - or in other words, your numeric address changes each time your high speed modem or router is reset.  Because this can happen for several different reasons, it can quickly become a big pain in the neck keeping your registered domain name associated to the correct numeric address.

Also, because email spammers typically deploy zombie computer systems that are connected to the internet by Cable or DSL high speed internet, internet service providers and email server administrators maintain a blacklist of known dynamic IP addresses to mitigate the spam and keep it under control.  That means if you have a dynamic IP address, and you are trying to send email from your server to someone who has a Yahoo account, Yahoo's servers will flag the email as spam and send it to the junk folder automatically because it originates from a known dynamic IP address.  MSN and Hotmail servers will automatically reject mail from a dynamic IP address and bounce it back to the sender.

So there are two issues to resolve here - first, a simple way to maintain and update a registered domain name with changes to the dynamic IP address needs to be set up for the server in question.  Second, the mail being sent from this server needs to originate from an address that is not going to be flagged as a potential source of spam by default.

To address the first problem I resolved my domain name with No-IP.com, a domain name registrar that specializes in dynamic DNS domains.  An alternative is DynDNS.com, although I found them to be more expensive than No-IP.  Both providers offer a free software utility that periodically checks your current assigned IP address with the address assigned to your domain name on their server.  If they are different, the software updates the address with the correct one.  No-IP has software that is compatible with LINUX, Mac and Windows, and Ubuntu also has a "no-ip" package in their Universe repository.  I assume that if you are an Ubuntu user and you are reading this, you already know how to enable the Universe repository and use the command line to install packages - sudo apt-get install noip2 will get you started.  You will need to create an account at No-IP.com for the software to authenticate to, and register a domain name (there are several free subdomain options available and full domain name registration is $15/year - though if you do a Google search for a coupon you might be able to get a discount on the first registration).  Once installed, you will need to stop the noip2 service with the command sudo /etc/init.d/noip2 stop, and you will then be able to configure the client with sudo noip2 -C, followed by sudo /etc/init.d/noip2 start to get the client running again.

When I first set up Postfix and Dovecot, my server used to be able to send mail using my local ISP as a relayhost for outgoing messages.  This stopped working due to two issues - I believe my ISP locked down my option to authenticate their SMTP server as my relayhost, and I performed a distribution upgrade of Ubuntu that broke my original Postfix + Dovecot installation when newer versions of both programs were installed.  Based on my initial difficulty with getting them working again I gave up for a while and started relying on Google for sending mail, not an optional solution.  After a while it became completely aggravating, especially because my Drupal based websites were unable to send email outside of the server, which made it impossible for users on certain sites to do basic things like password resets.

My frustration level reached the point where I tried out a professional web hosting service so that I wouldn't have to worry about configuring a mail server, which I was not keen on (because I was surrendering control over the hosting server and I absolutely hated their webmail interface after having grown rather fond of my Roundcube) and the final straw was when I realized I could not import my Fated to End Sometime's MySQL database because its size exceeded the provider's upload limit.  I'm sure I could have enlisted support's help in getting the database transferred but I hate to rely on support for that sort of thing.  Consequently I cancelled the service after only a week.  One caveat: this particular hosting provider offered a number of "free" add-ons for signing up, but deducted the value of those "free" add-ons from my refund, therefore a complete refund is probably not in the cards should you decide to try them out and want to cancel the service during their "full refund" period.  And that is all I will say about that.

So on a whim, I turned back to my domain name registrar, No-IP.com and took another look at their services, specifically in e-mail.  Low and behold, I found they offered an alternate port SMTP service, which is aimed at users who have an ISP with port 25 locked down, but also came in handy for my needs.  For a mere $19.99 per year I can relay up to 150 messages per day through their SMTP server.  Please note that they will lock out any users who opt to take advantage of this service to send spam - this is a service intended solely for legitimate email use, and designed to help people like myself who are already taking advantage of their dynamic DNS resolving.  If I were to only send one email per day that breaks down to roughly 5¢ per email.  I can't really complain about that, and it's far less expensive than using a hosting provider.

When I went back and added their service into the Postfix configuration file as the relayhost, however, I found that messages were getting rejected due to no suitable mechanism found, according to the log files (/var/logs/mail.warn & /var/logs/mail.err are really helpful here).  My initial thought was that I was using an incorrect username/password combination, so I went back and rechecked everything and even recreated the password again just to be on the safe side.

So let's get to the nitty gritty here.  The Postfix SASL Howto helped me understand my Postfix configuration file and provided enough direction for me to get everything working (and a big thank you to Patrick Ben Koetter and the other contributors to this documentation).  To get this working correctly we need Cyrus SASL (Simple Authentication and Security Layer) to be set up correctly.  We also need working TLS (Transport Security Layer) which provides encryption to the connection from your server to the relayhost.  After all, you don't want your third party relayhost server account compromised by a man-in-the-middle attack that records your plain-text username and password and subverts them.  In No-IP's case, you will lose access to the altnernate port SMTP service should they detect improper usage (and they will).  This sounds much harder than it really is - mainly it's a matter of understanding which configuration file does what and what software you need installed.

The error message I was getting was "SASL authentication failure: No worthy mechs found" in the log files, consequently I reviewed this portion of the Howto in order to resolve the problem.  So here are the steps I followed:

Reconfigure Postfix (sudo dpkg-reconfigure postfix) and follow the Ubuntu documentation on configuration.  I skipped the section on configuring the mailbox format for Maildir because I typically use Alpine to check email locally on the server while I am shelled into it.  Also take note of the message at the bottom of the guide - "Administering a Postfix server can be a very complicated task. At some point you may need to turn to the Ubuntu community for more experienced help."  See?  It's not just me saying this...

Now it's time to take a look at your Postfix configuration file (sudo nano /etc/postfix/main.cf or gksudo gedit /etc/postfix/main.cf or use your preferred text editor).  After following the Ubuntu documentation there will be smtp options interspersed with smtpd options (remember the difference?  for the purpose of this article pay attention to your smtp options).

If you don't already have a relayhost you will need to add one.  If you are using the default SMTP port (port 25) it should look like this (be sure to include the brackets):

relayhost = [mail.isp.example]

If you are using a service such as NoIP's alternate port SMTP, which uses port 3325, it should look like this:

relayhost = [mail.isp.example]:3325 (substitute 3325 with the correct port number for your SMTP relayhost)

You will also need the following entries:

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

Go ahead and save /etc/postfix/main.cf at this point.  Create a new file (sudo nano /etc/postfix/sasl_passwd) and add the following information:

# destination                 credentials
[mail.isp.example]      username:password

If you specified your port number in the relayhost section of /etc/postfix/main.cf, you need to make sure you entire the destination in exactly the same way in /etc/postfix/sasl_passwd or it will not authenticate properly:

# Alternative form:
[mail.isp.example]:3325      username:password (again, substitute 3325 with the correct port number for your SMTP relayhost)

When you save and close this file, please make sure it is a root access only file (sudo chown root:root /etc/postfix/sasl_passwd) and also make it read/write only by owner (sudo chmod 600 /etc/postfix/sasl_passwd) to prevent unauthorized users from learning your SMTP relayhost username and password.  

Finally, you must create a hash of this file (sudo postmap /etc/postfix/sasl_passwd) so that Postfix can access this information when it attempts to connect to your relayhost server.  This is the reason for the smtp_sasl_password_maps entry in /etc/postfix/main.cf mentioned above.

Let's go back to the Postfix configuration file (sudo nano /etc/postfix/main.cf) and add the following:

smtp_sasl_security_options = noplaintext, noanonymous

We want this entry in there to ensure two things - first of all we don't want just anyone to be able to use our server to connect to the relayhost, so at the very least we need the noanonymous entry in there.  Only authenticated users will be able to send messages with this set.  Quoted straight from the Postfix SASL Howto documentation, "Always set at least the noanonymous option. Otherwise, the Postfix SMTP server can give strangers the same authorization as a properly-authenticated client."  This could lead to very bad things.  What bad things?  I'll leave that to your imagination.

(insert tongue into cheek)

The noplaintext option is to ensure the username and password are transmitted with encryption also.  This could potentially be a problem depending on your SMTP relayhost - in the case of NoIP the above should work just fine.  However it might be necessary to establish a TLS connection, and then submit credentials in plain text.  If that is the case, you can add the following line:

smtp_sasl_tls_security_options = noanonymous

So I followed pretty much everything that I've listed here, and was still getting the same error in my log files, which then directed me to notice one very small yet very critical line in the Postfix SASL Howto, "This same error message will also be logged when the libplain.so or liblogin.so modules are not installed in the /usr/lib/sasl2 directory."

Sure enough, these files were missing.  Here's the thing - what's misleading about the Ubuntu instructions for installing and configuring Postfix is that it tells you that Postfix supports both Cyrus SASL and Dovecot SASL, and then provides instructions for configuring Dovecot SASL.

What it does not tell you is that if you are planning on using the relayhost option, Postfix can ONLY use Cyrus SASL to authenticate to a remote SMTP server.  So - if you are missing these files, or you do not have SASL installed, I recommend performing a sudo apt-get install libsasl2-2 libsasl2-modules to correct the problem.

A few more tricks I learned while trying to figure this out.  The mailq command will show you unsent messages that are waiting in queue, and they will typically have a failure message attached.  You can clear messages from queue using sudo postsuper -d <id> or all of them with sudo postsuper -d ALL.  Obviously check your various mail log files (/var/log/mail.log, mail.warn & mail.err).  Last but not least, I heartily recommend you take a look at fail2ban because you will likely start to notice the script-kiddies trying to access your mail server.

Okay, enough of this.  Good luck.  You'll need it.

So my birthday is coming up again, and I'm going to be 36.  For the life of me, I can't really think of anything I would really like for my birthday, except perhaps a new tattoo and/or new computer tech.  Lain (my desktop computer) is now approaching three years of age, which in today's world means she's reaching the end of her component life expectancy and compatibility range with new operating systems and software.  I predict Lain is going to stick around for at least a few more years before she is retired, possibly moving from the role of workstation to server (yes, I'm backwards in that I prefer my workstation to have more processing power and RAM than my server, but that's just how I roll).  

My other system, Miho (my MSI Wind netbook), has just been repaired after coffee was accidentally spilled on the keyboard by someone (cough cough) but is underpowered for my needs and the screen size (10.1" with 1024x600 resolution) is just a bit too on the small side.  I find my Droid phone tends to be more convenient as a portable computer than the Wind, even though it is not as nearly as versatile.  I'm also not happy about the fact that the Wind is built on an Intel platform for various reasons, the biggest being that I do not feel that Intel is an ethical company by any stretch of the imagination.  Microsoft can be lumped into that category (unethical companies), along with nVidia.  I'm also not happy that the Wind repeatedly develops a noisy fan issue requiring me to crack it open and lubricate the CPU fan (sewing machine oil) every 30-60 days, so I'm considering selling it or possibly giving it to Willow, provided that she can show that she can take decent care of it.

That pretty much leaves AMD and VIA as my remaining manufacturer choices, and let's be blunt, VIA is not going to cut the mustard since they have left the standard motherboard market behind, and are now focusing on embedded technologies.  Their C7 processors (developed from technology formerly owned by Cyrix) are nowhere near what I am looking for in terms of processing power.

So AMD it is, not just for processor, but also for motherboard northbridge and graphics accelerator, now that the ATI brand has been discontinued (ATI graphics are now to be known as AMD graphics), and unlike some I do not have a problem with this.

In the processor manufacturer world, AMD is an underdog, but not only that, it's the best underdog to root for.  They may not have the fastest tech at the moment, at least compared to Intel's i7 product line, but they do have (and have always had) the best bang for the buck, and as a father of four that counts for quite a lot.  They are not perfect - AMD has released some real questionable products in the past such as the K-6-3 series and the socket 462 Athlons and I feel as though I have been waiting forever for the CPU/GPU combination chip, but by the same token, I don't feel as though I'm helping to fund a bunch of gangsters when I buy their brand.  Most of the time their products really shine.

AMD is also currently the only significant competitor in the graphics accelerator market versus nVidia upon their acquisition of the ATI company.  

nVidia permanently earned my hatred upon purchasing and then dissolving the 3dfx company, makers of the famous Voodoo series of graphics cards. nVidia has regularly produced some of the fastest recognized products for gaming on the PC.  I have found their products tend to be sub-par in quality, tend to overheat, tend to be unreliable, and particularly in their motherboard chipsets - are a big pain in the neck.  I have nothing nice to say about nVidia, so I will leave it at that.

To be fair, Intel makes a solid product.  However, they have been known to forcibly restrict their product because it is aimed at a lower pricepoint, even when it unexpectedly outperforms their top-tier products.  In terms of failure rate and instability - Intel processors and motherboard chipsets are very reliable.  Intel also contributes open source drivers for its product lines, which usually makes it much easier to run LINUX on their hardware.  My biggest beef with Intel is that I do not like how they do business - take a look at the Vista fiasco with Microsoft for an example.   Several other similar business decisions show that Intel's primary goal is to make money, and they will gleefully sacrifice their customers satisfaction whilst in that pursuit.

So to sum up - I only want AMD processors, motherboard chipsets and graphics accellerators in my systems.  The problem with this is that most major manufacturers prefer Intel and nVidia.  Maybe I'm being perverse - but I feel wrong when I use their products.  I wait for bad things to start cropping up in my computers.  I notice a glitch and start obsessing over what might have caused it, and when it is undoubtedly going to happen again.

Because of this obsession I cannot purchase an Apple computer - at least not for myself.  I may at some point in the future purchase a family iMac if only so that it would be one less system that I would need to actively maintain - Apples tend to be rather secure and don't require a lot of hoops to be jumped through in order to make things work.  If Apple was to start offering systems with AMD processors, AMD motherboard chipsets and AMD graphics cards (they used to offer ATI cards in their systems) I would purchase one for myself in a heartbeat.  Sadly they presently all use Intel and nVidia technology.  I just can't do it.  I'm also not okay with the Foxconn suicides, although that seems to fall along the iPhone and iPad line of product.

If Apple can't build my computer of choice, then quite frankly, I don't want anyone else to.  I've been fixing computers for well over a decade now, and I have had too much hands-on time with poorly designed, poorly executed systems with insufficient power supply wattage, sub-par components and every other imaginable corner cut in order to increase the vendor's margin.  I will not willingly purchase a Dell, HP, Gateway, Acer, Compaq, E-Machines, Lenovo, Sony, Toshiba, Averatec, MSi, Asus, Alienware, iBuyPower, VoodooPC, Commodore or a computer built by any other manufacturer, unless they can provide for me the make and model of every individual component contained within.  I would rather build my own.

However, if I am in the market for a laptop, building my own will cost me two to three times as much as a pre-built system.  Barebones laptops are very difficult to find, and are usually priced within $100 of a complete laptop, even though the complete laptop includes a hard drive, RAM, optical drive and Windows license (tallying up to well more than $100 when purchased separately).  If laptops were standardized, perhaps this wouldn't be the case.  My alternative option would be to build my own laptop from scratch, which would entail soldering, crazy wiring, crafting a working case and the use of a embedded processor/motherboard combo, of which there are few available that support AMD (and I presently do not have the tools or know-how necessary to complete such a project).   So presently I'm stuck looking at laptops starting at around the $999.00, because of the above listed manufacturers only Asus currently makes laptops with AMD processors, and only Asus (in my experience) consistently (but not always) makes a superior product than most other manufacturers.  I'm on the fence with Asus, however - they've made shady looking partnerships with Intel and Microsoft in the past, which is worrisome.  I've also run into very bizarre issues with their low-end products (price-wise) that are can be impossible to resolve.  I'm also on the fence with MSi thanks to headaches with my Wind netbook and weird issues with some of their other products.

But it gets worse - let's say I opt to not go the notebook route (which is a shame because I am really interested in a desktop replacement notebook computer) and would rather just build a new PC instead.  While I will save a lot as compared to the laptop purchase, I am still running into problems of branding.  Because of various issues I have dealt with while repairing computers I no longer trust the following motherboard manufacturers: Foxconn, Elite Group/ECS, Biostar, AsRock, Gigabyte, EVGA, Sapphire and I am on the fence with Jetway, MSi and Asus.

I also no longer trust the following video card manufacturers that produce ATI/AMD video cards: HIS, XFX, VisionTek, PowerColor, Biostar, Diamond, Gigabyte, Jaton Corporation or MSi - reducing my brand choices to ASUS (still on the fence) or Sapphire.

I no longer trust the following hard drive manufacturers: Hitachi, Seagate, Samsung, or IBM.  I no longer trust RAM from any manufacturer except Crucial.  I no longer trust power supplies from any manufacturers except Seasonic, Ultra or ThermalTake, nor do I trust power supplies that are included with any computer case, regardless of their brand or wattage rating.

I have become paranoid about buying computer parts.  And the worst part is I can't seem to find the parts I want, from the manufacturers I trust, at the price I can afford.  It is starting to drive me nuts.

At this point in the game my only reasonable path is to upgrade Lain with a reasonably priced motherboard + CPU + RAM + video card bundle.  But I am wracked with indecision about what to purchase.  I would like a faster processor with at least one additional core, preferably close to or above 3Ghz.  I would like a motherboard with an AMD northbridge.  I would like a nice graphics accelerator of the Radeon 5670 or 5770 series, preferably with 1GB of VRAM.  If I do not want to replace my case I will need to stick with a microATX form factor.  But as far as which brand to go with...I'm still at a bit of a loss.

It can really suck to be so picky.  I also realize I'm now at risk of being labeled an AMD fan-boy (but I can live with that).  I know that if I take the time to be so picky, the end result will be a much better experience than if I just purchase whatever I can afford and hope for the best.  This is why I have stopped using Microsoft products, and to be blunt, it can't just stop there.  To use LINUX means to be picky.  To make LINUX run properly means not settling for the cheapest components.  It means being patient, doing your research, and to a certain extent, trusting your instincts.  To me, the computer is more than just a basic tool - it's the gateway to the world of information that is now available to everyone - provided their systems work correctly.  I am willing to do what it takes to build the best system possible to achieve this.

I need to start with the caveat that I am not a networking expert by any stretch of the imagination, nor am I a LINUX expert, nor anything beyond a PC expert (if that) and consequently the information contained within this article could be wrong, misleading and potentially cause problems should you decide to follow in my footsteps.  I myself was reluctant to tinker with any of these settings until it became clear that my ISP is not able to immediately resolve my connectivity issues, nor can they provide me with a clear ETR.  Regardless, through my endeavors I have seen some performance improvements, but there are still problems.  To give you an indication, it's been a few days that I've been working on this post, partly due to access to my website being periodically cut off throughout the day as a result of these issues.

What I am is a fairly active computer user.  I am not a "power user" - I don't download torrents 24 hours a day, and I don't host a video server with an open portal to the internet.  I absolutely don't engage in Peer-to-Peer file sharing.  I download what I need at will, but not like a crazy hoarder of all things digital, preparing for the Ragnarok of the Internet to begin.  Oddly enough, it may already be here, and we're all just starting to notice it.

My ISP is a local family owned provider, which is pretty much my ISP of choice ever since I can remember.  I did briefly experience the perils of corporation-provided broadband service in the form of COX Digital Cable internet while we lived in New Orleans, but their support team left a lot to be desired.  I tend to prefer local owned business for anything because I happen to like being treated like a real person, and not just a replaceable statistic.  As it is CenturyLink has been continuing to overbill me on my telephone service for seven months now, despite my attempts to get them to correct the problem, and if there was a local alternative I would drop them in a heartbeat.  

But that's another story, even though CenturyLink owns the telephone lines my service is transferred over.

Starting sometime during the Christmas holiday, I began experiencing severe connectivity issues.  I would not lose service, but latency would spike up to something ridiculous, sometimes as high as 1500ms on a ping test to www.google.com, and also during these periods the same test would result in up to 25% packet loss.  While it was possible to surf the web (as long as I was willing to wait up to five minutes for a page to load, with multiple refreshes in my browser as it kept timing out - I would classify this as painfully surfing the web) it was not possible to stream video or connect to online gaming servers such as Star Trek Online.  I've spent enough time on help desk to know that sometimes this is just the DSL modem or router building up issues, so I reset both, and found the problem continued to persist after they came back up.  This is unusual - power cycling equipment at the site experiencing connectivity issues will typically clear up connectivity issues almost immediately.

For those of you unfamiliar with this process, the best way to power cycle your equipment (assuming you have a high speed DSL or Cable modem and a router) is to remove the power cords from both devices, wait at least 10 seconds, plug in the high speed modem first, wait for the lights to stop blinking and stabilize (verify a light is present for your service type - bear in mind not all modems will have this indicator), and then plug in your router and give the network about 1-2 minutes to come back online.  In cases of a service outage it may take longer to reconnect - and if you are unable to do so after trying these steps it is probably worth calling your ISP to see if there is an outage in your region.

In my case, however, service was immediately restored yet continued to have high latency and packet drops.  This continued from about 8:00pm until 11:00pm and then went away.  I presumed the issue was somewhere on the ISP end and decided to not worry about it, figuring that the problem had cleared up because they had resolved it.  It is never safe to assume.

This problem returned the following night, and almost every night since.  It also began cropping up in the middle of the day at various intervals, would persist for an hour or two, and then clear up.  I started to notice a pattern, and submitted a ticket to my ISP for support but their initial response was that my router might be going bad and should be replaced.  They claimed their tests showed the connection remained steady to the DSL modem, and since the router was my own equipment it therefore was my own responsibility to resolve.  I had been using a D-Link wireless router, but I acquired a Linksys BFE series and decided to give that a shot and see what happened.

Not entirely to my surprise, the next evening yielded the same performance issues.  I had expected this result even with a different router because the issues seemed to crop up intermittently, yet almost during the same time frame each night. My hypothesis at this point was that even though my DSL line is supposed to be a dedicated, constant connection - the network was overburdened during these hours due to an increase in heavy traffic, most likely due to an increase in Netflix and Hulu subscribers taking advantage of video on demand streaming services that are now being offered with modern television systems and in add-on set-top boxes.  There is a clear shift away from cable television and toward these on-demand type services, and consequently there is a conflict of interest with many major ISPs who own these lines.  

CenturyLink, Time Warner, Cox, Comcast and others all offer digital subscriber television service that is now in direct competition with Netflix, Hulu, YouTube and others.  CenturyLink, Time Warner, Cox & Comcast also offer the internet service that provides access to Netflix, Hulu, YouTube and others.  From a financial perspective, it is in their best interest to restrict access to internet based video streaming services for two reasons: 1) it will prevent the loss of subscribers to their digital television services and 2) it will reduce the overhead of keeping their internet service operational for their customers.  Whether these companies are actively engaging in restricting traffic (look up Net Neutrality for more details, this article is about bufferbloat mitigation for now) is open to debate.  

My point is that ISPs may have reached the point where they now need to make a choice: either invest in infrastructure that will support this new demand, or else begin restricting traffic for their subscribers.  The reason they need to make this choice is an increase in video streaming, combined with an increase in new systems - the iPad has seen tremendous success and the Windows 7 operating system is now at over 20% market share.  I predict most ISPs will go with the second option (restricting traffic) because it is the easiest, fastest and least expensive solution to implement, in the short term.  What these ISPs may not understand, however, is that their customers will drop them given half a chance and switch over to another provider that does not restrict traffic, should such a thing happen.  The number one rule to remember is that taking away something from your customers will result in their loss of loyalty to your brand.

To get back on topic, this problem had now been present for over a week and a half, and based on my limited dialog with my ISP thus far two things had become apparent - I was not the only customer suffering with this issue, and they did not seem to have any idea what the source of the problem was or how to resolve it.  Since that communication I have only one additional response from my ISP indicating that they had a plan to resolve the issue, and would call me when it is repaired.  

During this, I came across an article on Slashdot pertaining to bufferbloat, which was a term I had never heard before.  But it seemed to coincide with what I was experiencing - and pointed back toward my network as a potential culprit in this bandwidth issue.  Wireless connectivity was also a potential culprit, though for the time being I have eliminated that from my network entirely and still experience trouble.

Jim Gettys, the author of the above bufferbloat article and others, indicates that the problem can't be assigned to one source.  This is a problem at the ISP level, but also present in the equipment being used at the sites in question.  The problem is due to a decrease in the price of RAM, and the mistaken idea that adding RAM to high speed modems, routers, switches and various other networking equipment will make them perform better.  In reality it allows these devices to have massive buffers, which can cause many of these issues I have been describing. The problem is also present in modern operating systems that automatically scale the size of the buffer used to transfer network data by using available RAM, and since most modern computer systems have plenty to spare, these buffers can easily become enormous.

Think of buffers in terms of markets, versus supermarkets, versus Super Walmart.  Markets would be roughly the equivalent of hardware and systems from eight to ten years ago, with limited options but to this day they are still efficient in how they handle their customers at the cash register.  If you do not have an old-fashioned market available to you where you live, you might compare them to what is now Walgreens or CVS - there are only a few registers and cashiers, and yet when you shop and then check out your total time in the store rarely exceeds fifteen minutes.

Supermarkets have more choices, and therefore attract more customers.  To handle the additional customers most supermarkets use several checkout lanes, but only keep those lanes occupied by cashiers during periods of high traffic.  They also provide "fast checkout" lanes for customers who are only purchasing a few items.  Even with this attempt to mitigate the increased traffic, it is common for a shopping trip to a supermarket to take thirty minutes or more.  Part of this is due to the size of the store - it is bigger so it takes longer to find what you are looking for.  Part of this is also due to the increased number of items purchased - due to the length of time it takes to travel to a supermarket and the time it takes to find what you want, people tend to purchase more of what they need in order to reduce the number of trips they need to make.  Part of this is also due to the customer's perception of which line will be the fastest, which can easily prove to be incorrect when the customer ahead of them throws a temper tantrum about not being able to double up the 10 cent coupons on their ice cream and demands a manager intervene, therefore holding up the line.

Super Walmart takes all of the above, and multiplies it a few times in terms of scope.  Now your shopping trip takes an hour or more.  People mistake Super Walmart as being convenient because everything they "need" is in one place, but do not realize that a few short trips to different small markets would actually take less time, and probably cause less stress as well.  Financial savings (obviously) are another concern, but that does not really fall into the scope this analogy.

So applying the analogy above, think of the buffer size or RAM size as the size of the store you are shopping at.  Think of the checkout lanes as the queue.  Think of the amount of product in your shopping cart as the size of your data packets.  Now we should be starting to get a clearer picture of what may be going on.

To attempt to mitigate this problem I started with my router.  If I had a DSL modem set to routing mode I would start there, but because it is in bridge mode (and therefore a pass-through gateway only) I did not think I needed to make any adjustments there.  The first stop in my router's setup is on the main configuration page, and specifically the MTU setting.    Because my router connects to my ISP using PPPoE I specify a Manual MTU of 1492 (which is the recommended size for PPPoE connections).  This was already set up correctly, so I then switched to the Applications & Gaming section.  If your MTU is set to Automatic, however, this could potentially be one problem point with your internet connection, and you should contact your ISP to find out what they recommend you specify based on your internet connection.  Generally the MTU size should be no smaller than 576, and generally (for home internet connections) should not exceed 1500.  Leaving this to automatic SHOULD not allow the size to grow above 1500, but as stated above, this may no longer be the case.  

For those of you not in IT, the word "should" is the most heavily used word by IT professionals, referring to how some sort of tech has been designed.  For various reasons, such as equipment failure, improper voltages, strange bugs and other things too numerous to mention, tech does not always work as designed.  "Should" is our mantra, our caveat and our legalese.  If you hear the word "should" uttered by an IT professional, you ought to assume that things may not go as expected, and take steps to prevent a total disaster.

The next step was to configure QoS, which was not an option on the D-Link wireless router (most likely due to fact that the latest firmware available from D-Link for this router dates back to 2007), but blessedly became available with the 2009 firmware update that I had installed while configuring the router for my network.  During my initial testing at Speedtest.net I had noticed that while my download speed would range from 0.10Mbps up to my rated 1.5Mbps, my upload speed would consistently be over 0.412Mbps, which was higher than the amount allocated by my service (I have not yet verified this with my ISP but according to their website my tier should have a maximum upload speed of 0.384Mbps).

Overloaded upstream was one of the potential sources of trouble as hinted by Jim Gettys on his blog, so specified my upload speed accordingly to 384Kbps (0.384Mbps) in this section.  I also changed the download speed on each of the four ports to the lowest possible setting (256Kbps) even though only three ports are being actively used  (I will need to alter this since port one of the router is now being shared with three separate devices via an old network hub I had lying around and port four is currently not attached to anything).  I gave SSH high priority and HTTP medium priority, and left the rest of the applications listed at low priority.

My next step was to replace my network switch (being the newest network technology still in use at that point) with an old network hub.  It had long been my belief that switches were superior to hubs in that they used intelligent traffic management and sent traffic directly to where it was intended, whereas a hub will attempt to communicate with each device connected to it until it finds the correct one.  The truth of this statement is that in a large scale network, a switch is more efficient, but in a small network like the one in my home, the hub proves to be more efficient in this task.  Replacing the switch removed a potential contributor toward buffer bloat and visibly (although minutely) decreased the latency on my home network.

Networking equipment had been replaced and better configured, so I turned to my systems attached to the network.  One might think that the router should be able to manage and shape all the traffic on the network, but I found that little improvement to my network's health had been made, and during the intermittent periods of latency my systems were effectively crippled as far as the internet was concerned.  So it was time to see what else was contributing to bufferbloat.

As it turns out, Windows XP has (this may not be a 100% accurate figure) a default MTU size of 1480 specified on network adapters.  Windows Vista, Windows 7, OSX and modern releases of LINUX do not have MTU sizes specified.  I have a LINUX server (upon which this website resides) and a LINUX desktop system (and also a LINUX netbook that has been temporarily disabled thanks to coffee spilled on the keyboard...grr...), but the other computers in the house run Windows XP (Brigitte's laptop and the "family" computer now shared by the kids).  We also have a Playstation 3 that we like to use to watch Netflix streaming movies, which is running a proprietary "modern" OS that also does not specify MTU size by default.

Specifying MTU on the Playstation 3 and Ubuntu desktop was a fairly simple process.  On the Playstation 3, navigate to the Network configuration section, choose manual configuration, and then continue through the menus until you reach MTU - switch it from auto to manual and then set your preferred value.  I opted to go with an MTU of 1480 to coincide with the XP systems already on my network.

On my Ubuntu desktop, I right-clicked on the tray icon for my network connection on the top-right portion of the screen and selected Network Configuration.  I then selected the IPV4 tab and selected my NIC from the menu.  I immediately had an option to place a checkmark into a box next to MTU and specify 1480 in the box directly next to it.

My Ubuntu server does not have a monitor, mouse or keyboard because I only access it remotely - it only has a power cord and a CAT5 cable connecting it to the network hub.  From my desktop I accessed my primary account with gterm + ssh and used sudo to open /etc/network/interfaces so I could add the following line:

eth0 mtu 1480

You would want to change eth0 to your network adapter as necessary.  I then reset the network adapter with the following command:

sudo /etc/init.d/networking restart

Strangely I saw more impact after restricting my systems than after reconfiguring my router.  Unfortunately this only lessened the effects of the severe latency, which continues to plague me to this day.  While my ISP assures me they are working on the issue and will contact me when it is resolved, the fact that this has been a problem for longer than two weeks is worrisome, and I wonder if I might be forced to find another provider for my internet service to ultimately resolve this once and for all.  But for those of you who were curious what this means - while suffering extreme latency it is now possible to stream video on one system on the network, with occasional buffering, but not more than one.  It is possible to play Star Trek Online on one system, so long as I don't mind periodic lag and nobody is engaging in video streaming on another system at the same time.  While not perfect, it IS an improvement, and I hope it will be more of an impact on my network's overall performance once the latency issues are resolved.

I am also interested in changing my router to one that would support OpenWRT + Gargoyle, which would then give me a finer level of control over network traffic.  While I might re-purpose a spare PC to fill that role, I would rather use new equipment to prevent weird issues cropping up as a result of aging and failing components.