Deus ex machina

Making stereo photos with the Viewmaster Mark II

2011-08-05T06:42:00.000-07:00

In 2010, I bought a Viewmaster Mark II camera in a store in Munich. In New Zealand I had never seen one for sale. They seem fairly common in Germany although not cheap - I paid 169€ but the camera was basically mint (but no ERC or manual).

Naturally, the staff immediately brought out another Mark II, at a cheaper price, moments after I left the store.

I think I've made every mistake possible so far in the production of my own viewmaster reels. I'm blogging this so that I have my own reference and perhaps I can save others from the same hassles.

My Viewmaster "Mark II" from the 1960s

I put the first roll of film through the camera last year soon after buying it, although it does take time to shoot 72 photos. The image itself is a quarter of the standard size, but you're taking two photos each time, so you get 72 scenes on a 36 exposure film.

The VM Mk II requires an exposure value (EV) of 8 to 15 to be set, rather than adjusting aperture and speed. Although I collect cameras, I've never used a camera that was only set with EV.

After reading on the internet an explanation about the extra colour dials on the front of the camera, I completely abandoned the idea of adjusting those because I couldn't get my head around them. A manual would help.

My initial problem was to take accurate EV readings. My trusty Western light meter was tiring and no longer so trustworthy. Luckily a friend by complete chance had an electronic meter that actually gave EV readings. I was kind of surprised to find an electronic meter that gave EV readings because I thought the idea was arcane. He works in the film industry, I'm not sure if it's still relevant there. Movie cameras shoot at a constant rate, so aperture is the only possible adjustment.

So armed, with meter and camera, I got off a first roll that actually wasn't so bad. I could see the shots improve dramatically from the point that I obtained the electronic exposure meter. The next step was to mount them.

Something I hadn't considered, but the same friend who lent me the lightmeter pointed out that I should specify that the film should not be cut at processing time. So far I haven't forgotten to do that; it would be a disaster if the lab ignored the instructions.

The cost of original empty discs left me reeling (geddit?), so I bought some of the REEL Master 3D Mounts available at 3dstereo.com. 3dstereo.com are really helpful. Don't be afraid to ask them a question before buying something if you're unsure on some point about a product. I'm not affiliated with them in any way, so consider this a genuine endorsement.

My "Model E" viewer from the 1950s

I picked up an old viewer for 7€ on eBay from a seller just down the road in Austria.

My real problems started when I tried to mount the shots. I didn't have a cutter. Imagine me, with a small pair of scissors, cursing away as I tried to cut those little blighters out of the film. For the record, the blighters are actually known as "chips". I didn't know how to cut them for mounting, I scratched other shots in the process and by the time I'd mounted some with a very hairy gluestick the results could be generously described as artistically rusticated with a false patina.

Certainly, the 3D affect was the least noticeable characteristic. At that point I also discovered the hopelessness of photographing things within 5 meters. Plants in particular gave the oddest effect in that range. I subsequently discovered that was because I had mounted them the wrong way around and I was to make about 10 reels before I discovered this mistake. Now things look fine close up.

After the scissor disaster, I was resigned to buying a cutter. Had I known in the beginning, how difficult to find and how expensive a cutter was, I may very well never have embarked upon the enterprise and left the camera on the shop shelf.

I started to blindly bid on Viewmaster cutters on eBay. I nearly won a couple, but the auctions were sniped in the dying seconds at outrageous prices (always more than the camera cost me). Sniped as I was, I unwittingly dodged a bullet because I didn't realise that Viewmaster cutters were not all the same. I needed the right cutter for the camera. I discovered this by chance while looking up some other matter related to Viewmaster.

Disheartened, I shelved the project, but continued to finish the second roll of film in the camera. The goal of not only buying a cutter in my price range but also finding one for the Mark II seemed almost impossible.

After a three month hiatus, the project was reanimated. The networking company that I work for has an interest in 3D TV technology and a Sensavis rep from The Netherlands presented 3D TV working without glasses. It was the touchpaper and I found myself once again trawling eBay for the right cutter.

I did find one, the right one, from a German seller. It cost about 140€ (including shipping) and it functions!

Below: The cutter in use. Note the holes in the film to the left where the images have been cut out. One of the chips is lying in front of the cutter. To the left you can also see the cardboard mounts that the chips are glued into.

Below: Looking from the top, you can see the two images before they are guillotined out of the film. There is a backlight to help see the picture. I really need to get a good magnifying glass because it is very hard to guage the quality of the image until you get it mounted.

It wasn't until I bought some original "Personal View Mounts" that I realised I was mounting the pictures back to front. There is only one way to mount the chips into the original mounts. The downside to the original mounts is that they are hideously expensive. You also need to buy a "Pocket Expanding Tool" available at 3dstereo.com.

Here's how they should be mounted. When the camera takes a picture it creates a notch as part of the image to indicate which chip is left and right. When the cutter cuts out the chip, you're left with an unexposed black strip on the same side as the angular or circular notch. It's hard to see in the photo, but the side with the black strip should go to the outer. My mistake was to put the notch side to the inner. Notice also that the chips (left of image) all have one corner nibbled of.

"Reel Master 3D mounts" available from 3dstereo.com

Tips for mounting chips into the "Reel Master 3D" mounts

Before doing anything, check that the mount windows have been cut out properly - check for chads and hairs.
Use tweezers to drop the chip. Be careful not to scratch the chip. Use something soft, like a cotton bud to press down the image. The downside to a cotton bud is that you can get hairs caught in the image.
Chips go in with the notch on the outer side of the reel.
Butt the inner edge of the chip as close to the window edge as possible unless the subject is quite close. If the subject is close, it's my experience that you need to achieve symmetry in the left and right image.
Watch out that you don't have gaps at the inner corners between the card and the chip. This is very distracting when you view the image.
Use a liquid (fast setting) glue on the outer edge only when placing the chip. Do not apply glue close to the window because it will spread out to the image itself, which looks horrible and can't be undone. With this technique you have a chance to move the chip a little after it is placed. You don't need a lot of glue to stick the chip, because after you seal the two cards together the chips will be firmly in place.
Use gluestick on the other side. I found that liquid glue works, but gluestick seemed to be easier and increased the thickness of the reel. My old viewer has trouble pulling through reels that are stuck down with liquid glue. To clarify, use liquid glue on the chips and then gluestick to glue the two cardboard halves together.
Don't get carried away with the gluestick, just make sure that you get the outer edges and the inner circle. Don't get any glue near the windows!

Tips for Personal Mounts

Push the pocket expanding tool evenly into the window. Make sure you're not favouring one side.
Push the pocket expanding tool right to the end of the window.
Insert the chip with tweezers.
Push the chip right to the end of the window.
The pocket expanding tool is a bit flimsy, be careful that you don't bend the metal at the point where it meets the handle.

In all cases, check the finished product for hairs. Although the film is sensitive to moisture, you can gently huff on the images and clean them up with a cotton bud if necessary. Again, a cotton bud is sub-optimal because it can leave hairs behind, pull them off with tweezers.

Our trip to Munich's Botanic Gardens

How to spend an afternoon in Munich

2011-07-21T23:44:00.000-07:00

Taxi

Expect to pay 15-25€ to get from your hotel into the centre of Munich by taxi. That's a complete guess by the way. That's OK if you share the cab. A taxi will be faster in the long run, I'd recommend it to maximize your time in Munich central.

Public Transport

Buy either a group ticket or single day tickets. Typically you will stay in "zone 1" if you are seeing the normal Munich sites.

The group ticket is cheaper if you want to travel all at the same time to the same places. A single ticket in zone 1 costs 2.50€ and a group ticket "Partner-Tageskarte" costs 9,80€ and 5 can all travel (together) on that one ticket.

From Hauptbahnhof (central station), you change to the S-Bahn (look for the green Ssymbol). When you get the platform you can jump on any train, just make sure you're on the platform that goes in the direction of Marienplatz (or wherever you want to end up).

http://www.mvv-muenchen.de/web4archiv/objects/download/netz11a4englisch.pdf

Suggestions

A) Start at Marienplatz, Munich's most famous square and very picturesque with the New Rathaus in Neo Gothic style. Check out the dragon climbing the wall on the left front corner.

B) Behind you, you can see the tower of St Peters church. Go climb it, at 1.50€ it's the cheapest thing you can do in Munich and the view is outstanding if the weather is clear.

Inside St. Peters you'll find a very well dressed skeleton in a display case. As a New Zealander it was really weird to find such a thing, but now that we've been in Europe for a while it seems pretty run-of-the-mill. It doesn't cost to go in.

C) Not far from St. Peter's you'll find Viktualienmarkt, with lots of stalls with interesting foods.

D) If you like Museums then head around to the Stadtmuseum. They might have something on to interest you. Check out the special exhibitions page here, put it into google translate, there's no English version:

http://www.stadtmuseum-online.de/aktuell/index.htm

While you're there, you'll also see the rather strange and interesting Jewish Museum. You might want to go in but for me the building itself is more interesting than the contents.

E) Time for some shopping! Head to Kaufingerstrasse. It's a mixture of stores for the common man and stores for the common elite.

F) While you're near, you should check out Frauenkirche. Of course, this is Munich's icon on the skyline. You won't spend long inside.

G) Keep moving, there's still shopping to be done! Head up Kaufingerstrasse to Karlsplatz. If you're a real Munchner you don't call it Karlsplatz, because nobody liked the guy it was named after. We call it "Stachus" after a pub; we do love to drink.

Wikipedia says of Stachus: Most important buildings dominating the square are on the east side the Karlstor, a gothic gate of the demolished medieval fortification and the rondell buildings on both sides next to the gate (constructed by Gabriel von Seidl 1899-1902). In front of the Karlstor, which was first documented in 1301 and called Neuhauser Tor until 1791, is during the summer period a big fountain. In winter an open-air ice rink is installed there. The most significant buildings on the opposite west side are the neo-baroque Justizpalast

(Palace of Justice) and the Kaufhof, the first postwar department store of Munich (by Theo Pabst, 1950/1951).

Here you can deviate from the tour. If you want to go see some galaries and museums then catch the number 27 tram (Petuelring) from here to the Pinakotheken stop. The Neue Pinakothek, Alte Pinakothek, Modern and the Brandhorst Museum are all close by.

View Larger Map

H) If you aren't already sick of churches you should definitely head up to Theatinerkirche. This is my favourite Church in Munich. Built from 1663 to 1690 in Italian high-Baroque style.

http://en.wikipedia.org/wiki/Theatine_Church,_Munich

I/J) Across from Theatinerkirche is the Residenz and Hofgarten. The Residence is to the right and around the corner, the Hofgarten entrance faces Theatinerkirche. If you like bling, check out the Residenz Schatzkammer (treasury) this is something else. There's some beautiful items dating back to as early as the 12th century.

http://www.residenz-muenchen.de/deutsch/skammer/index.htm

K) You've done well to get this far. It's time for dinner and a well

earned beer. If the weather is good, make the effort to walk 20 minutes

up to the Chinese Tower beer garden. Make sure you have a map, the place

is hard to find if you're as navigationally challenged as I am. If

you're in Munich you have to visit at least one beer garden.

If the weather is a bit rubbish, walk back to Marienplatz, where you started and find the Ratskeller restaurant. The entrance is hard to spot. It's actually underneath the neo gothic Rathaus that you started at. Look for the U-Bahn exit, the Ratskeller entrance is a few metres away from that.

View Larger Map

Permit samba to follow symbolic links to an unshared mount

2011-03-13T07:05:00.000-07:00

I'm posting this because if you google for the answer you end up getting out of date answers and the wrong commands.

What I wanted to do was simply make a symbolic link from my samba shared directory /storage to /home.

server:/storage# ls -l /storage/
lrwxrwxrwx 1 root root 5 Mar 13 14:14 home -> /home
drwxr-x--- 4 michael users 4096 Mar 9 00:33 music
drwxr-xr-x 5 michael users 4096 Mar 9 00:33 photos

Samba won't let users follow a symbolic link if the link points to a place outside of (i.e. not under) the share defined in smb.conf. This kind of symbolic link is insecure because a user could set up a symbolic link to point to anywhere in the file system and attain access to it. Yep, that's pretty appalling if you have users who you don't know or trust. But this is my home network, so user level security is not a concern for me.

The smb.conf man page explains it like so:

Turning this parameter on when UNIX extensions are enabled will allow UNIX clients to create symbolic links on the share that can point to files or directories outside restricted path exported by the share definition. This can cause access to areas outside of the share. Due to this problem, this parameter will be automatically disabled (with a message in the log file) if the unix extensions option is on.

The solution didn't even require google, I should have just read the manual to start off with. Here's the amendments to the smb.conf global section:

[global]
        # default
        follow symlinks = yes
        # allow symlinks
        wide links = yes
        # Must be off for wide links
        unix extensions = no

After restarting samba, no problem.

A couple of tips relating to security. I use passwords on my accounts and disable the root user. Also, I make sure that if someone does gain access to the home network (somehow getting our WPA PSK), then only the permitted (authenticated) users can mount the Samba share. Also, eth1 is excluded from the bind interfaces because eth1 is attached to the cable modem and I don't want the samba server to make itself available to the internet. Setting up user passwords and authentication is not described below.

[global]
        invalid users = root
        interfaces = eth0 eth2 lo
        bind interfaces only = yes

...

[storage]
comment = Storage
path = /storage
valid users = usera userb
guest ok = No
read only = No
browseable = Yes
available = Yes

How to convert a New Zealand driving license to a German one (in Munich).

2010-10-25T12:49:00.000-07:00

This will instruct you how to convert your NZ license to a German one. In fact, these instructions are probably accurate for any person whose country of origin requires that the exchange involve a theory test and no practical exam. The requirement for a practical test was removed for New Zealanders a couple of years ago.

Some countries can't convert their license, for other countries it can be very simple. Australians, for example, can exchange their license with nothing more involved than filing the paperwork with the KVR (I think they also need a translation).

The prices I quote are in euros and what I paid for each step. They are obviously approximations of what you will have to pay.

I did this in Munich so where you see KVR, read "Local administration body".

Yes, this post is long, but I've tried to pre-empt all the questions and cover the many unknowns of trying to do this. You will get bad advice from all sorts of people, in my case, I got bad advice from the Polizei, a lawyer and someone from the TÜV. You have to make yourself right with the KVR, they're who're standing in between you and that glossy bit of plastic.

So here it is, in tedious detail, written by someone who negotiated this winding road in mid 2010.

(1) Sit a first aid course.

The Red Cross run them irregularly in Munich in English. The basic course can take a couple of evenings. At the end of the course you will be issued with a certificate, which you must retain for later.

http://www.drk.de/angebote/erste-hilfe-und-rettung/kurse-in-erster-hilfe.html

Cost: 25.

[sample certificate]

(2) Get an eyesight test.

You can go to the mall to get one of those. Wander into an optician or even glasses retailer and they can probably do it on the spot. Take your passport, you will be asked for it.

Cost (appoximate): 6.50.

[sample eyesight test]

(3) Get a translation of your license.

The translation has to be signed with a magic translator's stamp. I very much doubt that you can use the so-called permit that the AA issues in NZ. I didn't even bother trying that one. It's just better to make sure that your paperwork is order to minimise face time with the KVR.

ADAC issue an official translation with the magic stamp. This is a sickening license to print money. It takes 10 minutes. For the peace of mind it may be worth it. I know of people who have had problems with translations from official translators because of miscellaneous KVR pedantry. If you use a translator to save some euros then make sure that they conform to the ADAC standard.

Größere Kartenansicht

Cost: 49.

[sample translation]

(4) File an application for the exchange with the KVR.

This is a nightmare. I had to wait for 2 hours before my number was called. It's always a good idea to go early in the morning. I arrived there about 8 AM, but they open at 7AM. Even if you arrive at 7AM you are guaranteed to encounter an early morning queue. Beware the Wartezone F zone of boredom, take a book - one that you're not close to the end of.

Note: This is not the same KVR offices that deal with your residency. This is yet another KVR office.

Eichstätter Str. 2, 80686 München, Germany

http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=Eichst%C3%A4tter+Str.+2,+80686+M%C3%BCnchen,+Germany&sll=48.13172,11.51969&sspn=0.018102,0.034075&ie=UTF8&hq=&hnear=Eichst%C3%A4tter+Stra%C3%9Fe+2,+M%C3%BCnchen+80686+M%C3%BCnchen,+Bayern,+Germany&t=h&z=16

You do not fill out any forms beforehand but you absolutely must have the following documents with you:

Passport.
NZ Drivers License.
First aid certificate.
Eyesight test certificate.
License translation.
Cash or EC card.

The KVR will take your NZ license. They keep it stored and you can retrieve it if you really need to, but NOT after your German license has been issued. The deal is that you can't pick up your German license if they don't have your NZ license. Once you pick up the German license then your NZ license is sent back to NZ. I have no idea what agency in NZ ends up with it.

At the front desk, just tell them that you want to exchange your license. If anyone asks you about a driving school, be sure in the knowledge that:

You do not need to have a driving school. The KVR is your driving school because the KVR registers you for the theory test at the TÜV.
The NZ to German license exchange no longer requires a practical test.
If you don't speak German tell them that the test should be in English..

The KVR give you a piece of paper with a reference number to check on this website:

http://www4.muenchen.de/Fuehrerschein/index.html

When the application has been processed the webpage will look like this, pay attention to the last line, that's what you're waiting for:

[sample webpage]

The KVR say that it will take 4 to 6 weeks for them to approve the application. In fact I had to wait for 7 weeks. I recommend that you apply and then start to learn the road code while you're waiting.

Believe it or not, they manufacture your license before you sit the theory test!

In case you need to call someone, the Führerscheinstelle (Driver's license office) direct call is 233 36215 or fax -03.

Cost: 35.

(5) Learn the road code.

While you're waiting for the rusty wheels of KVR beauracracy to turn, you might want to familiarise yourself with the road code in preparation for the test. Actually, the test isn't so easy, there are a number of stinkers and in all reality the European road code is markedly different to NZ. It would be unwise to think that you can wing it.

You can buy the road code book, or the test papers, all in English. You can also subscribe to a website for an online/computer exam that drills you on all the possible questions. Be sure, the test questions you can buy are exactly the same as the ones you will get in the test. But there is a huge array of questions to learn.

Cost: I didn't pay for any of these learning tools. I can tell you that the online test websites are cheap, the hard copies (on paper) are expensive and bought separately.

(6) Take the test with the TÜV.

When the muenchen.de website tells you to wenden Sie sich bitte an Ihre Fahrschule, don't call the KVR, call the TÜV and book a time to sit the test. They run tests all day, you need to call up a couple of days in advance to get a booking. They start as early as 8AM.

You must take:

Your passport.
20.83 in cash.

The test is multiple choice with more than one possible answer. It's done on a touchpad style computer. If you buy the computer tests the interface will look just the same. It took me a few moments to get my head around the system. I think you have to answer about 25 questions in 30 minutes, but I finished in 10 minutes and got one question wrong (losing 4 points) - I was in too much of a hurry.

My test was administered here (third floor):

Ridlerstraße 57, 80339 München, Deutschland

http://maps.google.com/maps/ms?ie=UTF8&hl=en&msa=0&msid=102211286544224829938.00044fbce06a5d07002e8&ll=48.134132,11.532726&spn=0.004733,0.008519&t=h&z=17

If you fail the test, then you have to wait for a stand-down period before you can sit it again. I didn't fail so I don't have first hand experience of what happens.

(7) Collect your license.

When you pass the test you are issued a form that you must then take to the KVR (Eichstätter Str. 2). You can go straight from the TÜV to the KVR if you wish. Again, roll up early if you can. You must take:

The printout from the TÜV that says you passed the test.
Your passport.

I didn't bring my passport on my first attempt to pick up the license, so they turned me away. This is despite the fact that they (probably) have a copy of my passport and my photo is actually printed on the license.

The waiting time won't be as long this time. I arrived at 7AM and there was along queue of people all lining up to get their ticket. The KVR work pretty quickly to process the queue at the door, but joke's on you, you're queueing for a ticket to wait somewhere else. I ended up in Wartezone E where they seemed to be processing people quickly. It was no more than a 20 minute wait.

Configuring exim4 for mail relay with STARTTLS and authentication.

2010-09-17T01:49:00.000-07:00

How to relay email over an encrypted SMTP connection with authentication using exim4 on Debian.

The exim documentation leads you to believe that this is a lot simpler that it really is. Following the exim documentation and most websites alone just didn't get me to the final goal. This is possibly due to the fact that the Debian defaults may be different to other distro defaults. I really don't know.

My Setup

I run my own mailserver for my own domains. It's reachable via the evil internet (as it has to be). I need to retrieve and send email from my mail programme, regardless of where in the world I am and without the inconvenience of needing to open a VPN or SSh tunnel to do either.

Naturally, security is the main concern. Dovecot provides secure imap, but I needed exim to allow me to relay my mail. If you turn on mail relay then it won't take long before the nice people from Nigeria and various other countries will be using your server as their spam hub.

Relay is the practice of sending mail to a server for which the destination is not one of the server's domains. If relaying on the server is enabled, then the server will dutifully send that email to the correct server. Relay is what I needed, but I was reluctant to share my server bandwidth with spammers.

On exim, you can enable relay for the specific case where the sender is authenticated. In other words, if I can prove to the server that I am an approved person, then the server will relay my emails. When you connect to the mail server to send your email, you just go through a username/password challenge.

You don't want to do the authentication over plain text, so encrypting the traffic is key to reducing the likelihood that someone will crack your username and password. That's why I need STARTTLS.

I'm not going into particular detail as to each setting, these you can look up for youself in the exim documentations. Here's the step-by-step configuration.

Configuration Files

After installing exim4 run:

dpkg exim4-config

The settings that you choose are up to you, but the critical thing is that you want to split the configuration out to smaller files. If you don't choose this option then the rest of this description will not work.

Edit /etc/exim4/update-exim4.conf.conf and check that you can see this:

dc_use_split_config='true'

Now add these lines to the end of the file:

host_auth_accept_relay=*
auth_over_tls_hosts=*
auth_always_advertise=true

Create a file called /etc/exim4/conf.d/main/00_my_macros and add this:

MAIN_TLS_ENABLE = true
AUTH_PLAINTEXT=yes
AUTH_CRAM_MD5=yes

Now edit /etc/exim4/conf.d/auth/30_exim4-config_examples and uncomment this section:

plain_server:
driver = plaintext
public_name = PLAIN
server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
server_set_id = $auth2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif

Because you've made changes to the split config, you must run the config updater:

update-exim4.conf

Certificate

That's the configuration, now generate your own certificate for exim to use in STARTTLS.

/usr/share/doc/exim4-base/examples/exim-gencert --force

You'll need to answer some questions, you can't get them wrong. It's an untrusted (self signed) certificate. If you want to be really flash and feel rich, buy a certificate!

The certs will hopefully be dumped into the /etc/exim4/ as exim.crt and exim.key. Debian-exim will need to be able to read this if you don't have an all readable flag. An all-readable flag is a real security problem on your private key.

chmod 640 /etc/exim4/exim.*

chown root.Debian-exim /etc/exim4/exim.*

ls -l /etc/exim4/
...
-rw-r----- 1 root Debian-exim 790 Sep 16 14:12 exim.crt
-rw-r----- 1 root Debian-exim 891 Sep 16 14:12 exim.key

You're all done.

Debug Mode

There is an excellent debug mode that you can run exim in. If you have problems, stop exim and start it in debug mode:

/etc/init.d/exim4 stop
exim -bd -d -oX 25

Of course, when you want to start exim normally, use the "start" option instead of "stop".

greylistd tinkering

2010-06-03T11:48:00.000-07:00

I'm really sold on greylistd. It's dead easy to seamlessly install greylistd into exim with debian.

Greylisting rejects an unknown sender's email address under the guise of a temporary failure. So it's essentially telling the remote mail server to come back later. It works well because most bulk spammers don't have the time or motivation to go back and retry bouncing email addresses.

One thing I suspect is that I am missing google alerts because the google mail server isn't coming back to retry delivery. So I'm in the process of adding google's servers to the greylistd whitelist group.

me@myserver:~$ sudo tail -vf /var/log/exim4/mainlog

2010-06-04 06:28:23 H=mail-pv0-f199.google.com [74.125.83.199] F=<3P_QHTBQKB4crzzrwplwp243-yz2p0w9rzzrwp.nzxxtnslpwxzqql44.z2r.yA@alerts.bounces.google.com> temporarily rejected RCPT : greylisted.

So there I can see one of google's mailservers. I'm going to have to check later on for more mail servers I am sure. For now, I have added one here:

sudo vi /var/lib/greylistd/whitelist-hosts

74.125.83.199 # Google alerts

Immediate results:

2010-06-04 06:33:58 1OKFEs-0000kq-8u <= 3P_QHTBQKB4crzzrwplwp243-yz2p0w9rzzrwp.nzxxtnslpwxzqql44.z2r.yA@alerts.bounces.google.com H=mail-pv0-f199.google.com [74.125.83.199] P=esmtp S=18656 id=0016e6408b12ac7d9d0488245e81@google.com
2010-06-04 06:33:58 1OKFEs-0000kq-8u => Me R=local_user T=mail_spool
2010-06-04 06:33:58 1OKFEs-0000kq-8u Completed

So I'll go back later and check the exim log for other mail servers to add:

sudo cat /var/log/exim4/mainlog | grep google

2010-05-09T15:44:00.000-07:00

Selected useful atheist news and articles:
http://www.atheistvault.com

exim4 error after upgrade

2010-01-19T12:13:00.000-08:00

After a long overdue upgrade of exim4 and greylistd my local debian mail server would not accept email from hosts on the local network. Oddly, exim4 did accept email from the internet.

Checking the exim logs revealed this message:

server:/etc/exim4# tail -vf /var/log/exim4/rejectlog

2010-01-20 09:02:54 H=eth1 ([0.0.0.0]) [172.16.1.1] U=me F= temporarily rejected RCPT : unknown ACL verb "acl_whitelist_local_deny" in "acl_whitelist_local_deny"

To clarify:

eth1 is the public facing interface (I was delivering mail over an SSh session).
172.16.1.1 is the server's local (non public) IP.
U is the user "me".
F is my email address (the sender).
myfriend@es.co.nz is obviously the person I was emailing (recipient).

Some web searching turned up this bug report in greylistd:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=452163

"acl_whitelist_local_deny was changed to acl_local_deny_exceptions.
This change needs to be reflected in the greylistd ACL changes."

According to this page, the bug was resolved in 2007!

http://packages.debian.org/changelogs/pool/main/g/greylistd/greylistd_0.8.7+nmu1/changelog

greylistd (0.8.6) unstable; urgency=low

   * Change acl_whitelist_local_deny to acl_local_deny_exceptions
   for exim4 >= 4.68 (Closes: #452163)


My version of greylistd should have that bugfix:

server:/etc/exim4# dpkg -l greylistd
...
ii  greylistd                 0.8.7+nmu1                Greylisting daemon for use with Exim 4

server:/etc/exim4# dpkg -l exim4
...
ii  exim4                     4.69-9                    metapackage to ease Exim MTA (v4) installation

So I assume the fix didn't retroactively tidy up existing installs. I even tried:

dpkg-reconfigure exim4-config

and

greylistd-setup-exim4 remove
greylistd-setup-exim4 add

Note that you are supposed to run the greylistd "remove" script before uninstalling greylistd (should you ever want to).

The solution was to change two files and replace acl_whitelist_local_deny with acl_local_deny_exceptions

server:/etc/exim4# vi /etc/exim4/exim4.conf.template
server:/etc/exim4# vi /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt

If you're using vi, simply use this command while editing the each file:

:%s/acl_whitelist_local_deny/acl_local_deny_exceptions/g

You might want to back up these files first, but do not back them up to the same directory or you will get these errors:

zurvan:/etc/exim4# cat /var/log/exim4/paniclog
2010-01-20 09:02:32 Exim configuration error in line 447 of /var/lib/exim4/config.autogenerated.tmp:
there are two ACLs called "acl_check_rcpt"

So back them up to your home directory or somewhere far far away!

I guess if you did an "apt-get purge exim4" and "apt-get purge greylistd" and then reinstalled them that the config files would come out correctly. However, I have spent a little bit of time getting my exim configurations right, so purging packages (and as a result, the configs) might have caused me even more bother.

Microsoft finally admits it

2008-10-14T12:45:00.000-07:00

"On-ya Windows" as a co-worker of mine would say. Finally, Microsoft admit that Windoze itself is a pernicious virus infecting a computer near you:

It's well known that Microsoft has been executing data at a genocidal level for years. Will this new dialogue box get The Hague off Microsoft's back?

Yes, this really is a screenshot, it's not a mockup.

More billboards, more slogans, fewer sense.

2008-10-05T14:32:00.001-07:00

This is what happens when you let Microsoft do the checking. I wonder if National intends to balance the current account with Excel.

So, are they intending to put a height restriction on new recruits or put all the existing bureaucrats on a diet?

If there really is 19 football fields worth of bureaucrats in Wellington alone, as a politician I would tend to put the subject of lessening them aside.

Yep, it’s election time. More billboards, more slogans, fewer sense.

Borders on Outrageous

2008-07-21T18:11:00.000-07:00

It doesn't get any worse than this. Ian Wishart's "Divinity Code" in the Borders (Riccarton) biochemistry section. Yep there it is, sandwiched between Robert Winston Human Instinct and Carl Zimmer Smithsonian Intimate Guide to Human Origins.

The optimist in me wants to believe that the book ended up here because the "Mysticism and Wackos" section has has been canned and the Border's staff have just randomly scattered the whole section throughout the store.

I've been keeping an eye on this title for the last while, expecting Borders to dump it in the discounts section sometime soon; secretly expecting that Borders will open a new "free" bin just for it.

Old Habits Die Hard

2008-07-21T14:26:00.000-07:00

Pope Benedict XVI arrived in Australia and was immediately criticised after again eating a child at an outdoor rally.

The Pope was unavailable for comment however Cardinal Anon said that while the consumption was unscheduled it should be celebrated in the wider context of a very successful trip. "The Church has always had a special relationship with children, this form of impromptu transmogriphication, although rarely employed today, is found right throughout the rich history of the Catholic tradition."

Police said that the suspected atheist (pictured above) who tried at the time to pull the child away from the Pope was arrested under Australia's tough new anti-terrorism laws and beaten to death.

Above: An artist's depiction of Pope Benedict XVI's recent visit to Spain.

chkrootkit: INFECTED (PORTS: 1008)

2008-06-06T21:31:00.000-07:00

chkrootkit kept freaking me out with this daily email (debian etch system):

/etc/cron.daily/chkrootkit:
INFECTED (PORTS: 1008)
eth0: PACKET SNIFFER(/usr/sbin/dhcpd[9876])

The DHCP message is fine, I have a DHCP server running.

Port 1008 is known to be used by a trojan or worm or some such. So to find out what was listening on port 1008 I did this:

server:/root# lsof -n | grep 1008
rpc.statd 2104 statd 6u IPv4 6556 UDP *:1008

(actually a tidier command would have been "lsof -i :1008").

OK, so rpc.statd seems less of a worry. From the rpc.statd man page:

It is used by the NFS file locking service, rpc.lockd, to implement lock recovery when the NFS server machine crashes and reboots.
...
By default, rpc.statd will ask portmap(8) to assign it a port number. As of this writing, there is not a standard port number that portmap always or usually assigns. Specifying a port may be useful when implementing a firewall.

OK, so quick and dirty fix time:

server:/root# /etc/init.d/nfs-common restart
Stopping NFS common utilities: idmapd statd.
Starting NFS common utilities: statd idmapd.
server:/root# lsof -n :1008
zurvan:/root#

Yay! If I was a pro, I'd specify the rpc.statd port with -p. So next reboot, I might get another chkrootkit error on another known and troublesome port. chkrootkit is a bit annoying for all these false positives. But I'd rather work them out than not run it at all.

Generate a dovecot ssl certificate (10 year & self signed)

2008-01-01T17:09:00.000-08:00

Here's how to generate an ssl cert for dovecot that has a 10 year expiry (instead of the default 365 day). If the certificates are already there then you must do this:

debianbox:/etc/ssl/certs# mv /etc/ssl/private/dovecot.pem /etc/ssl/private/dovecot.pem.old

debianbox:/etc/ssl/certs# mv /etc/ssl/certs/dovecot.pem /etc/ssl/certs/dovecot.pem.old

debianbox:/etc/ssl/certs# vi /var/lib/dpkg/info/dovecot-common.postinst
---
# Change this line:
(openssl req -new -x509 -days 365 -nodes -out $SSL_CERT -keyout $SSL_KEY > /dev/null 2>&1 <<+ # To be this: (openssl req -new -x509 -days 3650 -nodes -out $SSL_CERT -keyout $SSL_KEY > /dev/null 2>&1 <<+
---

debianbox:/etc/ssl/certs# dpkg-reconfigure dovecot-common
Stopping mail server: dovecot .
Creating generic self-signed certificate: /etc/ssl/certs/dovecot.pem
(replace with hand-crafted or authorized one if needed).
Starting mail server: dovecot.

... and that's it.

As an aside: In the server's /etc/hosts file, make sure that the local IP interface address(es) to name mappings are formatted consistently. The postinstall script uses `hostname -f` to determine the FQDN. The script will then use the result as the name of the server for which the certificate applies. If your client connects (internally) to the server with debianbox.test.co.nz and the server's /etc/hosts file reads like this...

192.168.0.254 debianbox debianbox.test.co.nz
203.10.10.10 www www.test.co.nz

... then the cert will have been issued for the server "debianbox" but your client will complain that it was actually trying to talk to debianbox.test.co.nz. Just change the /etc/hosts file to read as so...

192.168.0.254 debianbox.test.co.nz debianbox
203.10.10.10 www.test.co.nz www

... and then rerun the postinst script as above.

I don't connect to my imap server outside of the local network (192.168.0.0/24) so in actual fact the second line, a public IP address, is irrelevant in this example.

Create apache2 ssl certificate (self signed)

2008-01-01T16:31:00.000-08:00

At the time of writing this you couldn't edit "/usr/share/ssl-cert/ssleay.cnf", to change the day expiry time. make-ssl-cert generates 30 day certs. So I edited the make-ssl-cert script, which is dead easy to do:

I changed the default days to 10 years because having to renew the cert every 30 is quite annoying.

debianbox:/etc/apache2/ssl# vi /usr/share/ssl-cert/ssleay.cnf
---
# Change this:
openssl req -config $TMPFILE -new -x509 -nodes -out $output -keyout $output > /dev/null 2>&1
# To be this:
openssl req -config $TMPFILE -new -x509 -nodes -out $output -keyout $output -days 3650 > /dev/null 2>&1
---

debianbox:/etc/apache2/ssl# mv apache.pem apache.pem.old

debianbox:/etc/apache2/ssl# make-ssl-cert /usr/share/ssl-cert/ssleay.cnf apache.pem
[ answer the questions ]

debianbox:/etc/apache2/ssl# ls -l
total 8
lrwxrwxrwx 1 root root 10 2008-01-02 13:40 32f1a9d7 -> apache.pem
-rw------- 1 root root 1860 2008-01-02 13:40 apache.pem
-rw------- 1 root root 1860 2007-10-07 21:57 apache.pem.old

Reload apache2 before so that the new certificate is issued to connecting hosts.

debianbox:/etc/apache2/ssl# /etc/init.d/apache2 --help
Usage: /etc/init.d/apache2 {start|stop|restart|reload|force-reload}
debianbox:/etc/apache2/ssl# /etc/init.d/apache2 reload
Reloading web server config...27817

Visit the website with a browser and examine the certificate. Expect a warning about the site's validity because the certificate is self signed. Examine the issued certificate and check the expiry time.

Puttabong Clonal Exclusive (2007)

2007-07-31T18:49:00.000-07:00

Darjeeling 1st flush.

Apparently this tea estate is getting ISO 9002 (9001) certification. I can't see the point in that.

Recommended preparation:
3tsp / 500ml
85-95 deg C.
3.5-4.0 mins

What I did:
3tsp / small cup (easy pot)
85-95 deg C.
10->15 secs / 2 mins / 2 mins / 4 mins

I experimented by giving these leaves approximately 15 seconds on the first steeping. The flavour was completely different to my limited darjeeling experiences and seemed a very grassy flavour, delicious. I know - grass doesn't sound appealing! The second steep was for 2 minutes and the beautiful and rich buttery flavour appeared. The sweetness of the flavour was a great counterpoint to the mild astringency.

The third steeping was noticeably less buttery! I think it's important not to let the water get too cold. Future experiments left me thinking that this method is the tastiest way to extract the flavour from this tea. I adore the first 10 second steeping.

Milk wrecks the health benefits of tea

2007-01-09T14:39:00.000-08:00

New Scientist is reporting the results of a German survey that points to milk negating the health benefits of tea. Interesting mention of NOS in the form of an enzyme.

Sun-Moon Lake, Wild Mountain, Formosa (Taiwan)

2007-01-09T11:19:00.000-08:00

This is the tea that I drank a lot of at work because it is easy to prepare. I like it for two reasons.

The flavour!
If you oversteep it, the flavour isn't destroyed. That can happen at work because I get so distracted, so often I put in fewer leaves.

Leaves: 4.5 tsp
Steep: 4-5 mins
Water: 0.5l
Temp: 100C
Bought From: Ya-Ya Tea House