Blog

27: Obviously Forged

Here’s another chunk from Run Your Own Mail Server.

Ideally, sysadmins want all the messages from their domain to conform to the highest possible standards. They intend to sign everything with DKIM, and publish SPF records that contain every host that might possibly send mail. Anything that doesn’t have perfect alignment is obviously forged and should be unilaterally discarded. Anyone who’s worked in computing more than a week understands that they missed something, though. Some critical system sends mail from its own hostname rather than the domain, or there’s that weird host system sends mail only when the Galactic Senate starts its decennial session. DMARC deliberately allows a soft deployment. You can publish fierce policies that require strict alignment of SPF and/or DKIM, but ask that failures be reported to you rather than discarded. Use the failure reports to find deployment gaps. Eventually the failure reports will stop coming and you can ask others to quarrantine or even reject noncompliant mails.

The light at the end of this book is clearly visible, and I can even hear the train approaching. Yay!

26: It Can, But Doesn’t

Still hammering on Run Your Own Mail Server.

If you’ve worked with signing protocols like OpenPGP, you’re familiar with digital signatures. You take a chunk of data and sign it. Any alteration to the file invalidates the signature. You might be expecting DKIM to work the same way. It can, but doesn’t.

Traditional mail software has been free to rearrange messages if the programmer thought it necessary or correct. This might include adding or rearranging headers, substituting one kind of whitespace for another, trimming trailing whitespace, transforming line wrapping, and more. Any of these changes invalidate digital signatures. Complicated mail systems might pass messages through multiple MTAs before they reach their destination. Those systems are often from different vendors who each interpret the standards uniquely. Some older so-called “email firewalls” mangled messages to achieve what they branded as “security,” and a few of these systems are still

If you enjoy watching me suffer from cryptography poisoning, you can still sponsor this book or follow the carnage on a few social media platforms.

If you enjoy watching me suffer from cryptography poisoning, you can still sponsor this book or follow me on a few social media platforms.

25: Shoes with Wheels on the Heels

Here’s a snippet from this month’s FreeBSD Journal Letters column.

System administration in a modern enterprise is like performing an oil change on a vehicle doing a hundred and twenty down the freeway. 120 miles an hour, or kilometers, you might ask? When you’re lying on your back on one of those oversized mechanic’s skateboards, clenching the oil wrench in your teeth and wishing you’d worn shoes with wheels on the heels so you wouldn’t have to work quite so hard holding your legs up, it doesn’t matter. Occasionally the driver gets bored with weaving between desktop users guilty of the unspeakable crime of Using The Road While Obeying The Speed Limit Even Though I’m A CEO, so he sideswipes a pothole just to hear your skull bounce off the transmission housing. Wear a helmet. When the oil change is complete, you get to change the spark plugs and flush the coolant. From below, of course. Raising the hood would impair the driver’s vision, and you can’t possibly interfere with the corporate mission, whatever that is.

The .0 release is a metaphorical tire change, that’s all. The trick is to wait until the driver claims there’s a stretch of smooth road ahead and to place the jack snugly between your knees.

No, I’m not cynical about this business. Not at all. This is how it is.

The first three years of this letters column are collected in Letters to ed(1).

24: Little Soft Creatures

Today’s sample is from Fair Balls, a Prohibition Orcs tale that’s going to my backers next week and the rest of the world next April.

The tiny sewn-hide ball settled into the cup of Ivan’s palm.

“Oscar, you see where Mick is?” Brigid said.

How was an orc to remember these human names? Even without coats human children all looked alike, little soft creatures that couldn’t feed themselves until they were twice Ivan’s age.

Brigid pointed. “Behind home plate? You stand there and catch what Ivan throws. Susan! Grab the bat. No, not yet, Oscar! I gotta tell you what to do!”

“I throw,” Ivan said. “Oscar catches.” How could he throw a ball this tiny?

Brigid said, “Look where Susan is. You gotta throw so she can hit it. You want her to miss, but it’s got to be a fair miss, right?”

Fair. A human word that meant orcs lose. And she? Susan was the other woman, so Ivan must not speak to her.

The ball game hadn’t started, and already it made orc balls itch.

Find the earlier Prohibition Orcs tales at my web site. If you get the ebooks from my bookstore, you’ll also receive the exclusive To Serve Orc: Enduring Recipes from the Old Country, Watered Down for America. Yes, they’re real recipes, even if a couple recipes involve difficult-to-obtain ingredients. Everybody loves “Human Porridge”and “Lutesdwarf.”

Posted on

My Ebook Store Now Offers Gift Cards

Don’t know exactly what you want as a gift for Your Chosen Winter Solstice Holiday, but you know you want it to include my ebooks?

Tilted Windmill Press now offers gift cards. There’s no physical card, mind you. It’s a digital code that gets emailed to the recipient. But if Amazon calls this a ‘gift card’ I can too.

Yes, this is another lame excuse to take your money. Except it’s not your money, it’s money from your friends and family.

You might note that the cards are good for two years, rather than forever. People have expressed interest in TWP gift cards, but I don’t know if that will translate to actual purchases. I am buying the gift card plugin –yes, I could code something myself, but that’s specifically against my guidelines. I’m committing to buying this plugin until at least December 2025. If I decide to stop offering the gift card, I’ll buy the plugin for at least two years afterwards.

While business doesn’t bring me joy, I do find delight in trying things like this. Anything the big guys can do, I can also do. Next year, I’ll be offering some things that the big guys refuse to do. In the meantime, I have to get back to making words.

Posted on

November’s Noughtwithstanding Sausage

This post went to Patronizers at the beginning of November, and the public in December. A buck a month gets you early access and more.

These posts need titles, so I go for alliteration. Alliteration gives me an excuse to grab my primordial Oxford English Dictionary. I’ve mentioned this before, but I don’t think folks quite appreciate what a font of wordage it is.


It’s ninety years old and smells like knowledge.

Anyway, it’s been quite a month. The Apocalypse Moi Kickstarter is now completely fulfilled. Just as I was writing this sentence, though, the doorbell rang. UPS dropped off two packages, and—yep. It’s two copies of the book, dropshipped from the printer. They were supposed to go to backers. Instead, they went to me. Did I screw up entering the address? Possible. Did the printer screw up? Very possible. Did the printer’s obtuse web-based ordering system refresh inconveniently and overwrite my meticulously hand-entered shipping address with the default address? Screechingly possible. Each has a shipping slip with an order number, so I get to go through the orders and figure out who got shorted.

Or maybe the printer got carried away and shipped me extra books. That happens, too.

If it wasn’t for the lack of conference calls, I’d call this the worst business ever. But then I’d remember working in the auto industry and realize it’s not nearly that bad.

Anyway. That Kickstarter’s over except for the lingering cruft.

I’m to the bit of Run Your Own Mail Server where I get to talk about filtering and greylisting and SPF and all those fun topics. That’s not a huge topic, but it might take me a little longer than I’d like to get through. Which is the story of this book. October was a crunch month for my family. The crunch ends next Monday and I’ll be free to spew words. I’m learning things about email that I didn’t want to know, and details about workarounds that I didn’t want to know. Here’s yesterday.

Postfix’s postscreen(8) performs sanity checks on incoming email connections. Spambots behave badly, taking full advantage of Jon Postel’s original Robustness Principle. Postscreen identifies those bad actors and prevents them from talking to the SMTP server. Seems fine, right?

Postscreen has optional checks that are intrusive. It does most of the SMTP transaction and, if the client behaves well throughout, adds the client’s address to a temporary allowlist. The problem is, it can’t forward that connection to the mail handler. Instead, it gives the client a 400 error to say “I’m sorry, I can’t finish this right now, please come back later.” That’s a normal part of the email protocol. When the client returns, postscreen sees the address on the allowlist and steers it straight to the SMTP server. Simple enough.

Some of you might recognize that as greylisting. Greylisting is a controversial topic that I’m not gonna get into right now, but it is what it is. How does one get email delivered immediately, while still performing sanity checks? In theory, when a mail client can’t deliver to the primary mail server, it should immediately try the backup. Small sites don’t need a backup mail server.

But you can make a faux backup server.

Add a second IP address to your mail server. List it as the backup MX.

The client goes to the primary MX, passes the intrusive tests, and gets the 400 error. It immediately goes to the second MX. That’s the same host, so it has the same temporary allowlist. The mail is immediately accepted. You need to set up the backup MX address so that SMTP connections that arrive there cannot be added to the allowlist, but that’s included in Postfix.

So I go and set this up. I dig through Vultr’s web interface until I find how to get a second IP address and how to add it to a host. I add a second IPv6 address to that test host. Reboot everything, make sure all the connectivity works. Set up Postfix as a faux backup MX, adjust the DNS records. None of this is advanced work, but it’s tedious and annoying and type-prone. But at last everything looks correct, so I go to my other test host and send an email.

The test host tries the IPv4 address, and gets a 400. Good.

The test host tries the IPv6 address. 400. Good.

And then… it stops.

Postfix doesn’t try the backup MX. Why not?

I go to my old mail server, the one that’s running Sendmail. It gets a 400, immediately tries the backup MX, and sails through. Exactly the way it should. I’ll be trying with gmail today, see what they do. While gmail retries delay-queued mail from different IP addresses, I have no idea if the immediate retries change addresses. It’s an interesting test.

But I worked in IT for decades. I know perfectly well that if someone deployed this in the real world and something went wrong with an incoming message, a manager would ask “Are they on the list?” Because that’s what they ask. That meant I had to figure out how to interrogate the allowlist cache. This is not a public Postfix interface, and Postfix’s developer never intended that people should poke at it. I have no problem telling people “this isn’t meant for you, and it might change in the future, and you shouldn’t rely on any of the other data it reveals, but here’s how you glimpse at it.” But that still leaves me figuring out how to grovel through the stupid cache. Turns out you have to specify the cache format on the command line, a hint which appears nowhere in the documentation because you’re not supposed to go poking at the cache.

Anyway.

That’s a day. Forty words written, and I still don’t know why Postfix didn’t immediately try the backup MX.

The fiction crashed to a halt this month, because of aforementioned family crunch. That’ll restart next month. I owe the world an orc baseball story. I’ve figured out how to make that a short story, finally. One of the rules to making a story short is to limit the number of characters, but a baseball team has nine players, so I’d just like to say oops this was a terrible idea.

Ah well. Live and learn. Learn something that will do you absolutely no good in the future, because part of you already knew it.

I’ve taken sponsorships on the mail book, but I’m pondering doing a Kickstarter for it anyway. Sponsors and Patronizers will get theirs, of course, but there’s a broad pool of folks who want a thing to be ready to produce before they buy it. I’m also pondering stretch goals like “for $25k, I will put the book contents on a public web site.” I’d still have the book in stores, of course. But the ebook won’t be available on Kindle. Heck, the way this book is going the ebook might be $19.99. It’s gonna be freaking huge. Anyway, that Kickstarter and such stretch goals is just idle fancy. Some authors have good results with making their books public. For others, it destroys sales.

Which am I?

Only one way to find out, and the test costs only a year’s work.

That’s it for this month. Thanks for Patronizing me. Onward!

23: Bayseian Statistics and Fuzzy Hashes

I would love to finish this book before 2024. It’s not going to happen, but I would love to do it.

Redis is a database, but not in the way PostgreSQL or MySQL or sqlite or hash files or CSV files or Oracle are. While traditional databases prioritize getting data safely ensconced on the disk, Redis treats RAM as its primary data store. Redis has options for safely stashing data on the disk, including options that approach the reliability of traditional databases, but its primary aim is speed. Redis is a key-value store, not an SQL engine; you might think of it as a super-fast network-aware hash file. Almost every operating system has a suitable Redis package.

Rspamd uses Redis for long-term storage of Bayseian statistics and fuzzy hashes, as well as ephemera. It’s best to have a separate Redis instance for each function so that they can be managed appropriately.

You can sponsor this book at my web store. Thank you!

Posted on

Penguicon Auction, or: How To Make Me Shut Up

I’ve been a fan of Penguicon since they invited me as a GoH back in 2013. Some of the con staff even troll me.

Like many cons, Penguicon is struggling to reboot post-lockdown. They will make enough on registration to cover expenses, but that money arrives late and they need some cash up front. They’re holding a fundraising auction.

Some of the items are magnificent. Want to be a Guest of Honor, or make someone else a GoH? Personally I think we should draft Bob Beck and make him explain TLS. You can make the conchair give a presentation of a topic of your choosing, whether she knows anything about the topic or not. You can get homemade cookies, books, art, etsy gift cards, and more.

I donated something.

Remember the Prohibition Orcs kickstarter, and the exclusive orc-leather-cased omnibuses? With the authentic Spanish-American war and the romantic (for orcish values of romance) tattoos? I had four extras made, to resolve shipping problems. I know some of you missed the Kickstarter and the omnibus, because you told me. At length.
An orc-leather omnibus is in the auction. Bidding is at $55 as I write this, so you better act fast.

I normally give several presentations at Penguicon. And readings. And participate in panels. And hang around the bookstore. Penguicon 2023 featured ten hours of Lucas.

The 2024 con?

To my surprise, con chair Bagel (yes, that’s her name, Bagel) listed this item. For every $250 you donate, you get to pre-reject one of my events. You can leave me drifting aimless and blank-faced in the lobby, without purpose.

But seriously, Penguicon treats its Guests of Honor more luxuriously than any event I have ever attended. You should totally bid on that.

Or, con chair Bagel hand-knits to order adorable little glow-in-the-dark ghosts. You can get one for $10. You can also get 100 for $1,000. Bagel deserves no less.


Anyway, check out the auction. Help a bunch of geeks in a good cause.

22: Sugarplum is a Lying Bastard

Ah, US Thanksgiving. The start of the You Will Love Christmas Forced Death March. If you own the proper sunglasses you can see that all the billboards are actually white, with messages in big black letters like BE JOLLY and CELEBRATE. Don’t wear the glasses too long, you’ll get a headache.

Today’s snippet is from “Heart of Coal,” a Christmas tale that will be on my short fiction bookstore next month.

They sent me to Wrapping, where I proved that I had failed art honestly. Bakery? Airborne flour makes me sneeze. The second time you snot a hundred-pound batch of sugar cookie dough, the head pastry chef gives you the boot. A kind boot, with love and support and a sincere hope for your magnificent future, plus an amazing thick-frosted cinnamon roll, but: the boot.

Logistics, Mechanical, Housekeeping. Fail fail fail. Everywhere I went I tried to fit in, to contribute, but—look, I was the only one in the whole damned place who knew how to swear.

As far as the reindeer groom gig went, I did not throw that first turd. Sugarplum is a lying bastard.

My parents didn’t name me Sack thinking I’d get fired from every role in the Workshop. But it was convenient.

I have another new Christmas short tale at tiltedwindmillpress.com right now, and a story in WMG’s Holiday Spectacular that you can still subscribe to–a story every day, Thanksgiving to New Years’.

It’s a great year for MWL Christmas tales. Which is a good thing, if orders to LOVE CANNED CRANBERRY SAUCE are not your thing.

Posted on

Penguicon fundraiser, featuring Orc-Cased Orcs

Did you miss the Prohibition Orcs Kickstarter–specifically, the orc-leather-cased exclusive omnibuses? I know many of you did. You told me about it. Bitterly and at length.

Orc leather? If you didn’t know — when an orc dies, their final gift to their clan is their remains. The clan uses every scrap, including the hide.

Penguicon, like all cons, is struggling to resurrect itself after the pandemic. That means money. They’re holding an auction to raise seed money. While their registration fees will cover the con expenses, that money arrives late. Hotel deposits must be paid early.

One of the items they’re auctioning off is that orc-leather-cased omnibus, complete with orcish tattoos.


I have a handful of these, which I ordered to cover shipping losses. They will appear on the market in charity auctions. Not before 2025, however. Probably not before 2026, when I (vaguely expect to) release the next Prohibition Orcs collection. That handful will be doled out over the rest of my misbegotten misspent life, wherever I think they can have the most impact.

The Orc-cased Orc Book is already listed, and other items are being added daily. The auction begins 28 November at 12AM, and runs until the 11:45 PM on 1 December. The con chair has donated handicrafts, there are cookies, there’s Etsy gift cards, books, all sorts of stuff.

Register early.

Bid orcishly.