Nine Rules for Eating Well

One of my favorite bloggers whom I don't know, Maki of I was Just Really Very Hungry, posted a link to an essay called Unhappy Meals, which talks a lot about how to eat well, and be healthy from your food. The article is 12 pages long, and very interesting. Of course, I read Just Hungry because I like how Maki thinks about food, and she posted this link because she liked how Michael Pollan wrote about food. So, by the transitive property, you would expect me to like it too.

So. If you like how I think about food, then you'll probably like how Maki thinks about food, and you'll therefore probably like how Michael Pollan thinks about food, and will therefore enjoy the article. Give it a read!

Or, if you're in a hurry, the quick summary is "Eat food. Not too much. Mostly Plants."

Brew #28 Belgian Dubbel: Bottled

Brew #28, the Belgian Dubbel, is now bottled. Of course I tried some of the green beer, it definitely has a Belgian character to it, it reminds me a lot of Chimay's Brown Label.

I bottled 21 beer bottles of various sizes, and also one champagne bottle just to see what would happen. I'm hoping to save it for something like a year to see how the character of this beer changes over time. I put about 2.5 gallons of it in a keg, partly because bottling is pretty tedious, and partly because I'm afraid I'm going to run out of the Irish Red that's on tap now, and partly as yet another an experiment to see how bottling and kegging affect the taste. Officially, I should wait until February to start in on it... "Ready in Two Months" was the tag line in the instructions. I'm looking forward to this one!

Final gravity: 1.006. This gives an ABV of 5.7%. A tad lower than is typical, I think because there was extra water in the kettle when I added the spargings. But that's fine.

The Carmenere/Cabernet-Sauvignon is also ready to bottle, I'll probably do that in the next day or two.

Getting Postfix to work on Ubuntu with Gmail

Here's what I want to do. I have an Ubuntu box (Edgy-Eft) at home, and I want to be able to send out email, and I want to use gmail as my relayhost. There are several sites online that explain bits of how to do this, and Mike Chirico's is particularly good. I used his tutorial as a starting point, but I noticed I had to do a few things differently to get it working on my own system, so I'm documenting the differences.

Differences

Disclaimer: Different about my setup is that I am using the Ubuntu packages, whereas Chirico's tutorial has you compile the packages yourself. There's nothing wrong with doing that, in fact, it's probably good for your soul, but I'd prefer to make use of the Ubuntu package manager as much as possible. Further, I'm not interested in using fetchmail, so I've done nothing with that.

Installing Postfix

The first thing I did was install postfix.

# apt-get install postfix

I told the configuration script that I was installing for an internet site. Happily, debian/ubuntu's postfix comes with TLS and SASL compiled in.

Generate Your Certificates

In order to connect to gmail, you need a certificate. Here's what happened when I generated my certificate.

# /usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
.....................++++++
.........................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Illinois
Locality Name (eg, city) []:Chicago
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Prancing Tarantula
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Mattox Beckman
Email Address []:mattoxbeckman@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            d5:0c:4b:bb:48:17:c3:b0
        Validity
            Not Before: Jan  4 22:42:34 2007 GMT
            Not After : Jan  3 22:42:34 2010 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = Illinois
            organizationName          = Prancing Tarantula
            commonName                = Mattox Beckman
            emailAddress              = mattoxbeckman@gmail.com
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                33:0A:41:44:07:7D:0F:4C:10:B8:8C:4A:89:8C:CC:0E:18:EF:CA:92
            X509v3 Authority Key Identifier: 
                keyid:33:0A:41:44:07:7D:0F:4C:10:B8:8C:4A:89:8C:CC:0E:18:EF:CA:92
                DirName:/C=US/ST=Illinois/O=Prancing Tarantula/CN=Mattox
Beckman/emailAddress=mattoxbeckman@gmail.com
                serial:D5:0C:4B:BB:48:17:C3:B0

            X509v3 Basic Constraints: 
                CA:TRUE
Certificate is to be certified until Jan  3 22:42:34 2010 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

Now generate a private key...

# openssl req -new -nodes -subj '/CN=prancingtarantula.net/O=Prancing Tarantula/C=US/ST=Illinois/L=Chicago/emailAddress=mattoxbeckman@gmail.com' -keyout FOO-key.pem -out FOO-req.pem -days 3650
Generating a 1024 bit RSA private key
.........................................++++++
....++++++
writing new private key to 'FOO-key.pem'
-----

And sign it...

# openssl ca -out FOO-cert.pem -infiles FOO-req.pem
Using configuration from
/usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            d5:0c:4b:bb:48:17:c3:b1
        Validity
            Not Before: Jan  4 22:48:47 2007 GMT
            Not After : Jan  4 22:48:47 2008 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = Illinois
            organizationName          = Prancing Tarantula
            commonName                = prancingtarantula.net
            emailAddress              = mattoxbeckman@gmail.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                16:B2:33:D3:E7:E9:4D:2B:76:71:5D:D7:EC:AF:47:22:FA:38:AB:54
            X509v3 Authority Key Identifier: 
                keyid:33:0A:41:44:07:7D:0F:4C:10:B8:8C:4A:89:8C:CC:0E:18:EF:CA:92

Certificate is to be certified until Jan  4 22:48:47 2008 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Now I copied them to the /etc/postfix directory.

# cp demoCA/cacert.pem FOO-key.pem FOO-cert.pem /etc/postfix
# chmod 644 /etc/postfix/FOO-cert.pem /etc/postfix/cacert.pem
# chmod 400 /etc/postfix/FOO-key.pem

One difference from the tutorial: when running postfix, you may get warnings like this one:

Jan  4 17:21:59 calvin postfix/smtp[28881]: setting up TLS connection to
smtp.gmail.com
Jan  4 17:21:59 calvin postfix/smtp[28881]: certificate verification failed
for smtp.gmail.com: num=20:unable to get local issuer certificate
Jan  4 17:21:59 calvin postfix/smtp[28881]: SSL_connect error to
smtp.gmail.com: -1

I've copied them in so people searching for them will find this. These warnings are because postfix doesn't know where to find the Thawte certificate that gmail used to sign its own certificate. Ubuntu includes it in its ssl package. You need to append it to the cacert.pem file you generated earlier.

cat /etc/ssl/certs/Thawte_Premium_Server_CA.pem >> cacert.pem 

Transport

To cause the mail to be routed, you need a transport file. Here's mine:

# Contents of /etc/postfix/transport
#
# This sends mail to Gmail
*               smtp:[smtp.gmail.com]:587

Different from the tutorial is the specification of port 587. If you leave that off, postfix will attempt to connect to port 25, which is blocked by many ISPs now. If you get a timeout error in your log file, that's what's happening. The Gmail help pages say you should be able to use port 465 also, but that times out for me as well. You'll have to add another line if you expect to receive mail at your machine.

SASL

You now need to set the SASL passwords. My file looks like this one:

# Contents of sasl_passwd
#
[smtp.gmail.com]:587             mattoxbeckman@gmail.com:password

Of course, replace password and the email address with something appropriate for your system. Again, note the 587... if you leave that off, you will get very confusing log messages like this one:

Jan  4 18:20:30 calvin postfix/smtp[31770]: 49D438A6F: 
to=, orig_to=, 
relay=smtp.gmail.com[64.233.163.109]:587, delay=7661, 
delays=7660/0.1/0.19/0.03, dsn=5.5.1, status=bounced 
(host smtp.gmail.com[64.233.163.109] said: 
530 5.5.1 Authentication Required 16sm56842404nzo 
(in reply to MAIL FROM command))

This will be very frustrating because you will see the passwords are there, but they just aren't being used. Be sure to hash the files:

# postmap sasl_passwd
# postmap transport

Wrapup

The lines in tls_per_site, main.cf and master.cf are like the tutorial. Just paste them into your own versions, and you should be good to go.