Posted on

Tides

Tides came up at work, and we were trying to figure out what the tide numbers were relative to. You would think this would have been easy…but it took a lot of searching to find.

So…

Tides are given in feet above (sometimes below) chart datum. Chart datum is defined (in the United States) by Mean Lower Low Water (MLLW). MLLW is “The average of the lower low water height of each tidal day observed over the National Tidal Datum Epoch” (http://www.baysail.com/tide_terms/gloss_m.html). Lower low water is the lower of the two low tides (or single low tide) in a day. The National Tidal Date Epoch is 19 years, and currently is the period from 1983-2001 (http://co-ops.nos.noaa.gov/datum_update.shtml). I’m mainly posting this just to remind myself since I spent so much time figuring it out.

Posted on

Building sa-exim on openbsd

If you’re getting

"Makefile", line 62: Need an operator

when trying to build sa-exim 4.2 on openbsd, do the following two things:

1. Edit the Makefile, on line 59:

@bash -c 'sed "//,$$ d" < [blah blah]'

Change bash to sh. You can use ":set number" in vi to see line numbers.

2. Use gmake instead of make.

Posted on

SSL, TLS, STARTTLS, Courier IMAP, Squirrelmail

I can’t find any good documentation on SSL/TLS and courier-imap’s imapd and imapd-ssl daemons, so I’m taking a crack at it. First, some background on TLS and SSL.

TLS is the newst version of SSL, ie. SSLv1 < SSLv2 < SSLv3 < TLSv1. So, TLS is actually better than SSL.

They work the same way…most of the time. SSL and TLS can both be negotiated as encrypted connections…meaning that the connection starts talking TLS or SSL as soon as it is made. This is what you’ll see over port 993 most of the time.

Additionally, TLS can begin AFTER the connection is made. That is, you would negotiate an unencrypted connection (say over the standard 143 IMAP port) discover that the server supports STARTTLS, send the STARTTLS command, and then begin speaking TLS.

Normally these finer points aren’t important, but if you’re trying to setup courier IMAP you can run into some glitches. Now, I’m running OpenBSD 3.7 with courier-imap-3.0.5p2 installed from the BSD ports tree. This is the operation I’ve observed on MY system, your mileage may vary.

the imapd-ssl.rc script runs a process that only speaks TLS or SSL, so you have to connect using SSL or TLS. This script does not implement STARTTLS. If you want to use STARTTLS, keep reading. the imad-ssl.rc script will run SSL or TLS over the port specified in SSLPORT (usually 993.

The courier documentation led me to believe that /etc/courier-imap/imapd-ssl only affects the behavior of the imapd-ssl process. This is not the case on my system. The STARTTLS settings in imapd-ssl affect the normal imapd process. If IMAPDSTARTTLS=YES, then starttls is advertised when the server advertises CAPABILITY. If IMAP_TLS_REQUIRED=1, then the client MUST send STARTTLS in order to login. If IMAP_TLS_REQUIRED=0, then STARTTLS is optional.

So, if you want to use STARTTLS, run imapd, but configure /etc/courier-imap/imapd-ssl. If you want SSL/TLS to begin immediately on connection, run imapd-ssl (still configure imapd-ssl, but the TLS settings won’t have any effect).

Squirremail doesn’t support STARTTLS, so you’ll need to either run TLS on port 993 (Squirrelmail doesn’t support SSL), or make STARTTLS optional on 143. STARTTLS optional means squirrelmail would be talking plainly to the server, this is BAD if your IMAP server is not localhost. I’m not aware of any security concerns for an unencrypted connection to localhost, though. PLEASE correct me if I’m wrong.