Computing – Page 24

A mini-roundup of webmail software

Pretty much since having high speed internet at home I’ve had a machine externally accessible, initially through dynamic DNS and later via a static IP. Even prior to running a full mail server, I had a mail server setup to pull email using fetchmail from the couple of email sources I was using. Being able to access my email over the web was pretty handy, and I trusted SquirrelMail to provide this function.

Setting up SquirrelMail under Ubuntu is fairly straight forward, the packages are in the repositories and setup is a snap following the instructions. The version I have installed is a little dated but it handles email when I’m not home just fine, I particularly like the ability to setup alternate identities making sending email from an alias easy (actually easier than messing with aliases in Evolution).

The version of SquirrelMail I have isn’t really that slick on a small (mobile) screen. I looked at just installing the right theme/skin to SquirrelMail to support mobile browsers and there doesn’t seem to be any (free) solutions. This got me looking around.

First stop was NaSMail, a fork of SquirrelMail but apparently better for mobile. Long story short – NaSMail looks a lot like SquirrelMail, even on a mobile device. There is a mobile browser plugin – but it didn’t change very much of the look and feel. The install process was easy and things went smoothly.

Since NaSMail didn’t address what I was looking for it was back to searching around. RoundCube seems to have a strong following and there is a version in the Ubuntu repositories. Sadly the repository version is quite old and didn’t appear to be compatible with the theme I was trying to use.

Installing RoundCube from “source” was also quite easy, there was a howtoforge article which was useful. I got a bit hung up with something that turned out to be my error in the end – I had mixed up ‘username_domain‘ and ‘mail_domain‘ in the configuration file causing my IMAP logins to fail. Turning on some additional dovecot debug helped.

If you find yourself debugging IMAP login issues, the Ubuntu guide for postfix is a good resource. Basically you want to edit the /etc/dovecot/dovecot.conf file and add:

auth_debug=yes auth_debug_passwords=yes

Then restart dovecot:

$ sudo /etc/init.d/dovecot restart

Then monitor the /var/log/mail.log output to see what’s going on.

So RoundCube is very pretty, but it completely fails on a mobile device as the UI expects double-click actions. You can manage to navigate if you are persistent but it’s a bigger barrier than my existing SquirrelMail setup. There are commercial mobile browser skins, but the only free one I found (MobileCube) was mostly a cosmetic change of the default. I will mention that the commercial skin cost is only $32 – probably less costly than the time I sunk into poking around. The double-click UI for RoundCube turned me off, I much prefer a web like single-click UI even when using a full browser.

My last stop on the webmail search is HastyMail. There is no Ubuntu support of this one, but installing from source is fairly straight forward and well documented. I will note that there is a site_key in the configuration file you’ll want to change for security purposes, I generated a new key using a web based password generator and would recommend you do something similar. The config file is human readable and is processed into a machine readable format, I found the command line version more convenient than the web – but both work fine.

HastyMail looks prettier than my existing SquirrelMail, appears to format nicer on mobile browsers (but not perfectly). The image at the top of this post is from my Android phone in landscape mode, I’ve blurred some details but there should be enough to get a sense for how it appears. It also has a ‘simple mode’ which is great for low bandwidth or low capability screens, this is captured in the second picture on the right. I wish there was a theme somewhere in between the default and simple modes, maybe I’ll poke at that sometime.

There are many other webmail options out there: AtMail, Xuheki, Horde, … For the most part they seems to target niches. Most people are migrating to hosted webmail (Gmail, Yahoo, MSN) or simply using the mail client on their mobile device.

8GB Memory Upgrade / PAE Mode

I’ve been doing more video processing lately, some of it HDTV quality, this was really demonstrating that 2GB was not nearly enough RAM for my system. Memory prices have dropped a lot since I did my frugal upgrade, at the time (early 2010) I spent $54 on a single 2GB stick. The other day I picked up 2x4GB for a mere $35 from CanadaComputers. Sure we’re now 2 years later, but to get four times the RAM for less?

In general I’ve had good luck with Patriot products, and looking at their warranty it looks like the have the standard limited lifetime warranty you’d expect.

My motherboard has 4 slots for RAM, so I could have left the 2GB stick in and added the two additional – but I decided against mixing things up. I figured 8GB was plenty for now, I can easily change my mind later. Installation was a snap, literally under 10mins including juggling all those cables.

Amazingly I got it right the first time, the BIOS showed me 8GB. Now as I’m running a 32bit version of Linux, I wasn’t surprised that the operating system couldn’t see all of my new RAM.

$ cat /proc/meminfo MemTotal: 3482728 kB

So Linux can only see 3.3GB, I suspect why the value isn’t 4GB is due to the onboard video stealing some away from the OS.

The obvious upgrade path is to install the 64bit version of Ubuntu. It seems the smart path forward is to wipe and start again, however given that I’ve got a 1TB drive and it’s 60% full that’s going to be a long copy / install process. I mentioned this to a friend at work and he suggested that instead I use the PAE kernel, I’m glad he suggested it.

Physical Address Extension (PAE) is very easy to add to an existing 32bit Ubuntu installation. Assuming you’ve got a CPU that supports the feature (and with any current hardware you will), it’s a simple one line install.

$ sudo aptitude install linux-generic-pae linux-headers-generic-pae

After the install, a quick reboot and we’re running the new kernel. If you’re doing a clean install, recent versions of Ubuntu automatically add the PAE kernel if you’ve got enough RAM.

Now we can see all of the RAM

$ cat /proc/meminfo MemTotal: 8072420 kB
This works out to 7.7GB, again some I believe is donated to the onboard video.

Why might you want to use PAE instead of running a 64bit version? If you elect to use 64bit mode, then all of your memory pointers need to be 64bits wide (aka double the 32bit size). This can cause some serious memory bloat depending on the type of application.

It should be no great surprise, but there is some work involved in getting applications to work in 64bit environments. For some applications, recompiling is all that is needed – however many have hidden dependencies on certain data structures being 32bit in size. It is for this reason that lots of software is still stuck back in 32bit – the mitigation is to run 32bit compatibility libraries.

With PAE, while the kernel can see all of the memory (up to 64GB) – each process is still limited to 32bit addressing (4GB max). You also miss out on some of the 64bit extensions to the instruction set, so you are leaving a little bit of performance on the table.

When I get around to doing a full wipe and re-install, I’ll likely move to a 64bit version of Ubuntu as it seems to be the recommended approach. I’m certainly glad I can put that off for a while longer and use PAE to get access to the increased memory with almost no effort.

Ubuntu Apache2 “trusted” SSL Certificate from StartSSL

I own the domain lowtek.ca and host a couple of personal projects as well as this blog on it. One of the areas is behind a password and that part of the site I redirect over to https to ensure that the communication is encrypted. While the whole Certificate Authority infrastructure has currently become questioned, the value of having a SSL connection between your browser and (hopefully) a specific destination machine still has value. I found a humorous youtube video that describes SSL basics if this is new to you.

If you were watching the tech news, you’ll have seen several of the CA’s had security breaches. Even StartSSL which this post will talk about using had some issues, but it seems that it wasn’t as bad as the others. There has even been some research into how to attack / break SSL entirely. The web is a scary place if you think too much about this stuff. Today SSL is the most convenient web security story there is, and for the most part it works well enough.

For most people hosting personal websites the simple path is to use a self signed certificate. The one downside to this is that whatever browser you are using will not recognize the certificate as valid, you’ll either be prompted to download and remember it – or just trust it for this one session. The manner in which browsers trust commercial web sites https connections is the certificates are issued by one of the root CA’s (Certificate Authority). The CA is a trusted 3rd party which the browser can check with to validate the certificate the website is offering up.

Ubuntu has some guides on creating certificates. What I’ll try to do here is provide a specific example of using StartSSL to generate a free certificate that is accepted by most web browsers. Much of the details come from another blog that I referenced when creating my StartSSL certificate.

You’ll probably want to use FireFox. The web interface at StartSSL.com can be a bit finicky and FireFox is known to work – I used the somewhat old 3.6.25 version. Of course the first step is to sign-up and create an account on StartSSL. They use email confirmation and my greylisting caused a bit of a hiccup here, waiting a few minutes and resubmitting the sign-up succeeded just fine. Then there will be a wizard that takes you through the rest of the sign-up process.

At the end of your account sign up you’ll be encouraged to back up the client certificate that has been installed into your browser. As I understand it, they use the client certificate as a form of authentication that it is really you they are connected to. The FAQ has details on backing up the client certificate. If for some reason you lose your client certificate they have a FAQ for that too.

Next we want to return to the “Control Panel” and use the “Validations Wizard” to do the “Domain Name Validation”. This will require another email validation to ensure that you are the owner of the domain (you’ll need to be able to receive email for that domain).

Now we can actually create a certificate. There are pay options for certificates, but we want to use the free version. Use the “Certificates Wizard” to create a “Web Server SSL/TLS Certificate”. Again I’ll reference the very useful blog post from jasoncodes.com that describes this set of steps (I will replicate here for completeness).

The first step of creating a certificate we can skip, as we plan to create our own Certificate Signing Request (CSR) locally. Execute the follwoing on your server, obviously replacing mydomain.ca with your domain name:

openssl req -new -newkey rsa:4096 -days 380 -nodes -keyout mydomain.ca.key -out mydomain.ca.csr
There will be several questions posed to you during this, here is a dump of the questions and some example answers:

Country Name (2 letter code) [AU]:CA State or Province Name (full name) [Some-State]:YourStateOrProvince Locality Name (eg, city) []:YourCity Organization Name (eg, company) [Internet Widgits Pty Ltd]:SomeName Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:mydomain.ca Email Address []:secret_email@mydomain.ca

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

Some of the answers can be blank as should be evident above. If you’re having trouble with the 2 letter country codes, check on wikipedia. I did find a reference that suggested that the common name must exactly match the host name of your server, you might note that I’m not using a www prefix here. This will allow me to re-use this same certificate for email and other things in theory, it also follows the no-www approach. I opted to leave the challenge password blank.

The second step of the wizard on StartSSL for creating a certificate will ask for a cut & paste of the mydomain.ca.csr we just created. Paste the entire contents of the file in, and move on to the next step where you should see that the request was received.

Moving along the next step is to “Add Domains”, since we’ve only validated one domain this should be easy. As part of this process it will ask for one sub domain. I used “www” since that will still resolve correctly to the lowtek.ca domain.

The remainder of the steps should be straight forward, you’ll arrive at the “Save Certificate” screen. You’ll want to save three things: 1) Text box contents as mydomain.ca.crt, then save-as the 2) intermediate and 3) root CA certificates (last two should be sub.class1.server.ca.pem and ca.pem respectively).

Now we need to install into Apache2. I’ll assume you’re running Ubuntu.

We’ll start by copying the .crt and .pem files we saved from the final step on StartSSL into the /etc/apache2/ssl directory. We also want the .key file that was created when we made our CSR copied to the same directory.

Again I must credit jasoncodes.com, this is almost verbatim from his site. Run the following as root.

cd /etc/apache2/ssl mv ca.pem startssl.ca.crt mv sub.class1.server.ca.pem startssl.sub.class1.server.ca.crt cat startssl.sub.class1.server.ca.crt startssl.ca.crt > startssl.chain.class1.server.crt cat mydomain.ca.{key,crt} startssl.chain.class1.server.crt > mydomain.ca.pem ln -sf mydomain.ca.pem apache.pem chown root:root *.crt *.key *.pem chmod 640 *.key *.pem
Now we need to modify the apache config file /etc/apache2/sites-available/ssl and add the following within the <VirtualHost> block:

SSLEngine On SSLCertificateFile /etc/apache2/ssl/mydomain.ca.crt SSLCertificateKeyFile /etc/apache2/ssl/mydomain.ca.key SSLCertificateChainFile /etc/apache2/ssl/startssl.chain.class1.server.crt

Check that your Apache config parses as valid:

apache2ctl -t

And then restart Apache with the new config:

sudo /etc/init.d/apache2 reload

Here is the the verification process verbatim from jasoncodes.com:

Run the following after restarting Apache to check the certificate chain:

echo HEAD / | openssl s_client -connect localhost:443 -quiet > /dev/null

You should see something like:

depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0

A depth of 2 and a return value of 0 is good. If the certificate chain is wrong, you’ll probably see something like:

depth=0 /description=12345-ABCDEF123456/C=XX/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=host.example.com/emailAddress=hostmaster@example.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /description=12345-ABCDEF123456/C=XX/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=host.example.com/emailAddress=hostmaster@example.com verify error:num=27:certificate not trusted verify return:1 depth=0 /description=12345-ABCDEF123456/C=XX/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=host.example.com/emailAddress=hostmaster@example.com verify error:num=21:unable to verify the first certificate verify return:1

I was pleased to see that it all verified correctly for me. Visiting https://lowtek.ca resulted in a green lock icon under Google Chrome.

The StartSSL certificate expires in 1 year, so next year around this time I’ll be doing the same process. There is another CA (AffirmTrust) I came across that offers free 3 year certificates, I have no experience with them but would be interested to hear if anyone tries them out. There is CACert as well, but it doesn’t appear to be included in any of the browsers – limiting the usefulness of a certificate from them.