Wasted time with Exchange 2010, SquirrelMail, and IMAP-SSL

I’m setting up SquirrelMail to point to my Exchange 2010 server via IMAP (don’t ask) and couldn’t get SM to talk to Exchange on port 993 (imaps). Even though the servers on the same subnet, any time passwords are being sent over the network I like to opt for SSL. I found a couple of sites suggesting that the problem was that there was no SSL certificate installed, but I knew for a fact there was a valid certificate because I could get to https://webmail.example.com/ for OWA.

Some of the errors SquirrelMail was reporting were “Error connecting to IMAP server xxxx Server error: (0)” and “Error connecting to IMAP server: tls://xxxx:993. 0: ”

Nothing would actually work on port 993. Telnet to 993 got this:

$ telnet 993
Connected to
Escape character is '^]'.
* BYE Connection is closed. 14
Connection closed by foreign host.

After too much poking, I decided to go down to a lower level and do a simple openssl certificate retrieval and see what came back:

$ openssl s_client -connect
140281653434184:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:699:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 113 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

That didn’t look right, so I ran it against the same server on port 443 and got back a real certificate. Same for port 995 (pop3s):

$ openssl s_client -connect
depth=3 L = ValiCert Validation Network, O = "ValiCert, Inc.", OU = ValiCert Class 2 Policy Validation Authority, CN = http://www.valicert.com/, emailAddress = info@valicert.com
verify return:1
depth=2 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1


So there’s just something wrong with SSL on port 993. To make a long story short, I had to use the Enable-ExchangeCertificate to apply the SSL certificate to port 993. First, run “Get-ExchangeCertificate” to list the available certificates and retrieve the Thumbprint.

[PS] C:\Windows\system32>Get-ExchangeCertificate

Thumbprint                                Services   Subject
----------                                --------   -------
yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy  .P....     CN=exch2010fe1
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  I..W..     CN=webmail.example.com, OU=Domain Control Validated, O=webmail.ex...

Copy & paste the thumbprint for whichever cert you want to use into Enable-ExchangeCertificate:

[PS] C:\Windows\system32>Enable-ExchangeCertificate -ThumbPrint xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -Services IIS,P
OP,IMAP -DoNotRequireSSL
[PS] C:\Windows\system32>Get-ExchangeCertificate

Thumbprint                                Services   Subject
----------                                --------   -------
yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy  ......     CN=exch2010fe1
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  IP.W..     CN=webmail.example.com, OU=Domain Control Validated, O=webmail.ex...

After running that, imaps on port 993 worked perfectly. I can connect to it with both SquirrelMail and Thunderbird.

The SquirrelMail config looks like this:

IMAP Settings
4.  IMAP Server            : webmail.example.com
5.  IMAP Port              : 993
6.  Authentication type    : login
7.  Secure IMAP (TLS)      : true
8.  Server software        : exchange
9.  Delimiter              : detect

Edit Feb 15, 2011: I just renewed the SSL cert and ran into a problem with a Ruby script that was suddenly unable to check a mailbox over IMAPS. The error received was:

/usr/lib/ruby/1.8/net/imap.rb:898:in `connect': unknown protocol (OpenSSL::SSL::SSLError)
        from /usr/lib/ruby/1.8/net/imap.rb:898:in `initialize'

After a few minutes, I remembered this blog post and ran Enable-ExchangeCertificate and it worked again. Glad I wrote it down.

CONNECTED(00000003) 26831:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

How does paid blogging work?

I’ve been hearing for years about paid bloggers. If people are getting paid to write their crap down in an ad-supported industry, it seemed like it might make sense to throw some ads up on this very site to see what happens. I’ve had Adsense running on this site for a few months now and the short answer is a whole lot of nothing. Here’s what the earnings look like since 1/1/2009 (my Adsense account is much older than this site; I put the banner ads up around Fall of 2009):

Basically, in a year I’ve “earned” under $20. That doesn’t even pay for domain registration & DNS for a year. And since Google doesn’t actually pay you until you have $100 in earnings, this is fake money anyway.

Now I didn’t have any illusions about making money from this site, I just put the ads up as an experiment to see if this is a realistic way to earn a dependable income. From what I can tell, it can be, but only in certain cases, basically coming down to how much traffic you can generate.

  1. You’re already famous. If you’re already a “celebrity” in your field (whatever that field is) then people already probably want to hear what you say.
  2. Your subject matter has mass appeal. If you write about discoveries in quantum physics, you may have a decent following, but it’s still only going to be the people who care about quantum physics. If you write about Jersey Shore you have a much larger pool of possible readers, because everybody loves watching a train wreck.
  3. What you say actually matters. This is related to the first point. If Joe Shmoe (or Evan Hoffman) rants at the top of his lungs, it’s just some guy complaining. If Ben Bernanke makes an offhand comment about interest rates the stock market tanks.

I’m sure there are some other cases, but as far as I can tell a tech guy writing about things that annoy him doesn’t fit any of these criteria. I’m tempted to remove the ads altogether, but it’s too interesting seeing what ads Google puts up on some of these pages. The first few months, the ads were all for some rabbi’s circumcision service. Not sure what that was about.

Do I still need swap space?

About three years ago I replaced our primary database. For years we’d been plagued by awful performance in the database and we were never able to diagnose the problem. The original server was a real beast at the time: 8 Opterons (single core), 32 gigs ram, and a fibre channel RAID connected via a QLogic HBA. This was back in 2005, so those specs don’t probably sound that impressive today, but this was a crazy configuration (with a crazy price tag to match). On paper it looked like this server should be basically invincible but the performance was awful, slowing down every process within the company. We contacted a few different companies (including CommandPrompt, which employs several of the core Pg devs) to see if they could assist us in diagnosing the problems but tuning only helped to a point. There was just something wrong with the box, maybe having to do with the FC HBA itself (which nobody knew much about).
Continue reading “Do I still need swap space?”

5,472 ms

I signed up with Pingdom to monitor my website. They have a free service if you just want to monitor a single site, and since I only have one site, this is perfect. Since this server gets knocked offline all the time (thanks LIPA) I figured this was a prudent step. However, Pingdom also offers response time stats, and the stats are not good. Average response time is around 4200 ms, and with the first test taking 5,472 ms to respond.

Oh well. It’s free. Maybe I should move it to wordpress.com.

Edit: Pingdom is so smart. They have banners so you can advertise your awesome (?) uptime!

Using Zabbix for SNMP monitoring disk usage percent for Windows hosts

A few years ago we moved from Nagios to Zabbix for our server monitoring needs. I wasn’t a big fan of Nagios, finding it a pain to manage with its myriad configuration files. It’s probably gotten better since I last toyed with it but since we moved to Zabbix I haven’t had much reason to look at Nagios again.
Continue reading “Using Zabbix for SNMP monitoring disk usage percent for Windows hosts”