Snarks, laptops, and drunken mail server administration

Yes, it's a packed schedule here at HA Towers...

First up, two of my favourite snarks from random internet reading yesterday. To my friends at Canonical - I'm awarding points for funniness of snark, here, not legitimacy of complaint :) Steve Hogarty on Mint versus Ubuntu:

"Mint looks a lot more like Windows than the waywardly designed Ubuntu (which, like a petulant teenager, slings its taskbar to the side of the screen, where it's at its most useless). It has a start menu that doesn't advertise trousers to you"

And changing topics somewhat, Hilary Mantel on the (British) royal family:

"I used to think that the interesting issue was whether we should have a monarchy or not. But now I think that question is rather like, should we have pandas or not? Our current royal family doesn’t have the difficulties in breeding that pandas do, but pandas and royal persons alike are expensive to conserve and ill-adapted to any modern environment."

If the utterly bone-headed debate occurring in certain sections of the press in certain countries as to whether it's 'insulting' to the Duchess of Cambridge or not is the only place you've so far come across Mantel's article, please ignore the boneheads and just read the article itself, as it's brilliant (and not about that at all).

Forthwith, onto laptops - yesterday was a very sad day here at HA Towers. I did my periodic check of Sony's laptop store and found the Vaio Z is gone, deceased, no more.

I have a 2010 model Vaio Z, and it is easily the best laptop I've ever owned. I would argue that it's quite possibly the best laptop ever manufactured. It packed a high-end Core i5 dual-core CPU, 4GB of RAM (expandable), hybrid NVIDIA/Intel graphics, 128GB of SSD storage, a 13.1" 1600x900 or 1920x1080 display, b/g/n WLAN, Bluetooth, optionally even WCDMA, VGA out, HDMI out, three USB ports, a battery life comfortably north of four hours, and a DVD writer into a package that's about 12.5x8" square and a little over an inch thick and weighs 3.07lb - in March 2010! It was light years beyond what anyone else was even attempting to do in a 13" form factor at the time.

Sadly, the storage in my Z seems to be on its last legs. I can't get SMART to be convinced that the drives are dying, but every few days, I get some sort of catastrophic kernel fail related to storage in some way - bunch of ATA errors, everything remounted R/O, nothing actually readable, have to reboot and run fsck. I'm rather amazed that it has trucked along in this state for several months now, but it's clearly not going to last forever. So I have been dilly-dallying over what to do about a replacement.

Sony revised the Z design in 2011 to be thinner (ultrabook thin) and lighter (around 2.5lb) while dropping the internal NVIDIA GPU and the optical drive. They invented a kooky thing called a Power Media Dock which had a PCI-E graphics card in it, the idea being that you could play games while you were at home and had it docked, but saved the power and heat on the road. In 2012 they bumped the specs a bit and made the Power Media Dock optional. And then at the end of 2012 they announced they weren't making any more, and now I can't buy one any more.

I was slightly reluctant to pull the trigger on the 2011/2012 Z because the thinner form factor apparently meant the exterior got hotter, and it definitely made the keyboard worse (less travel). The width/height dimensions were also greater on the newer model (bigger screen bezel). I care rather more about width/height than I do about thickness. And my 2010 Z was just so damn good, it never made me want to replace it. A 2012 Z was still the best option around for a new 13" laptop by a long way, though, for most of 2011/2012. If my current Z irretrievably died tomorrow, a 2012 Z is still what I'd really want, I think.

But, still, now I don't seem to be able to buy one. And my 2010 Z is definitely dying. And other manufacturers have finally gotten around to building some somewhat more compelling possible alternatives. So let's compare my three year old laptop to some contemporary alternatives, shall we?

The Macbook Pro 13" was just embarrassed by the Z up until recently; it was really a pretty pathetic comparison. It was slower, bigger, heavier, and less well featured (the screen on the MBP 13" was horribly low-res for a long time). Then Apple finally pulled their finger out and made the Macbook Pro Retina 13", which is a horse of a somewhat different color. It has decent CPU options - it out-performs the 2010 Z (where the pre-Retina MBPs never clearly did) - 8GB RAM stock, and 128GB SSD stock. It has that killer display, and it's decently priced at around $1600 (that's a good price in this bracket; the Zs used to run $2000 at release, up till the 2012, which was about $1600). The negatives: it's a Mac, which means dealing with Apple's pretty awful UEFI implementation. No optical drive - not a deal breaker these days, but it's useful occasionally in validation testing. Only Intel graphics. Weighs 3.5lb, still heavier than the 2010 Z, never mind 2012. If I'm being really picky, the screen's glossy (Zs were always matte, which I love the crap out of). Still, it's a pretty solid contender.

Dell has just updated their Ubuntu developer edition laptop to include a 1920x1080 screen, which was my big beef with it before. It's priced around $1600 too. The CPU's an Intel Core i7-3687U - which, entertainingly, appears to be ranked very close to the top CPU you could get the 2010 Z with (an i7 620M; I have an i5), it seems to come with a 256GB SSD which is rather nice, and it weighs 3lb. Even its size is rather similar to the 2010 Z at 12.4" by 8.1". It seems very much like an almost drop-in replacement for the old Z, just lacking the optical drive and matte screen. Also a solid choice, and one I may well go with - always good to buy with Linux.

Of course, many F/OSSers (particularly Red Hatters) swear by their Thinkpads. I could never live with the terribly low-res screens (even worse than Apple's). The best Lenovo's managed to come up with now is the Thinkpad X1 Carbon, a 'new-style' Thinkpad (with the chiclet keys) with a 14" 1600x900 screen. Eh. It's $1500 with 8GB RAM and 128GB SSD and a mid-range i5 CPU, weighs 3lb. It's okay, but I'd take either the Apple or Dell over it.

Asus make the kinda-interesting UX31 and UX32 models which are sort of knock-off Macbook Airs - they're somewhat cheaper than the others, and have okayish specs (i5/i7 CPUs, 1600x900 displays, 128GB SSD). They're not bad, but I'd pay the extra for the build quality and better displays from the others.

And now the joker in the pack, Google, has come out with the rather bizarre Chromebook Pixel. The good (great) thing: 2560x1700 display. Yespleasethankyouverymuch. That one-ups the Retina MBP by a little bit. The bad things: the i5 CPU is only okayish, it weighs 3.4lb (better than the Retina, but not as good as the others), and - most ridiculously - a 32GB SSD.

Look, Google, I know it's a 'cloud device', but come the crap on. It's for developers. We run VMs once in a while, you know? We download giant source trees. I could just about live with 64GB, but 32GB? Please. Not going to work. There will be a 64GB model, but it's also the LTE model - which often means you won't be able to get it in Canada - and costs more. If they make a 64GB model available in Canada it might be a possible contender.

So here we are, three years on from my Vaio Z, and the biggest hitters in the laptop world - Apple, Lenovo, Dell - have just recently managed to come up with models which modestly improve upon what Sony gave me back then (and only arguably improve on what Sony did in 2011 and 2012; no-one else is at 2.5lb, still). Sony has done a lot of things wrong over the years, but they are still capable of some incredible feats of engineering when they put their minds to it. I've owned several amazing Sony systems - my old C1XD, the Vaio P, and the Z - and I do hope I'll be smitten with another of their designs in the future. (In case anyone wonders - the Duo is interesting, but just seems to fall between a few stools for me; the 11" form factor just somehow doesn't compel me).

If anyone's made it down this far, on to drunken mail server administration. 'Drunken' is of course the only state in which one should ever attempt mail server administration...

I'm still gamely plugging along with running my own mail here at HA Towers, and it really is pretty fascinating. It's a whole bunch of probably-unnecessary work, but seeing inside the sausage factory is just awesome. I read a story today about Twitter implementing something called DMARC, and so I've been poking at that all evening.

Yes, it's yet another anti-spoofing invention, but I really rather like it. It's not yet another alternative to Sender-ID and SPF and DKIM, but something that works with SPF and DKIM and provides a couple of things I really like: it lets sender domains tell receiver domains what they think the receiver domains should do with messages that fail SPF and DKIM checks, and specifies a way for receiver domains to let sender domains know what they've done (and why) when mails fail checks.

See, SPF and DKIM are both rather neat ways that domains which send out mail can attempt to prove that legitimate mails are legitimate. SPF lets you say 'mails that appear to come from mydomain.com should always be relayed by mail.mydomain.com', or something like that. DKIM lets you publish a public key which should be used to sign all mails that originate from your domain (and, of course, actually sign mails when you relay them). They're both designed reasonably sensibly and aren't terribly hard to implement: I have both SPF and DKIM set up for this domain, so if you ever get mails from it, they should pass both SPF and DKIM checks. But what's missing are exactly the two things above.

You can test a mail from happyassassin.net and see if it passes SPF and DKIM - if it's been relayed by the server(s) I specify in my SPF record, and if it's signed with the key I specify in my DKIM record. But there's no real specified way for you to be sure what you should do if a mail fails those checks somehow - it's entirely up to you to somehow figure out whether you should reject mails from any given domain that don't pass SPF/DKIM - and there's no way for you to let me, the mail admin of happyassassin.net, know what happened. If you throw my mail away, I'll never know about it.

So DMARC lets a sender domain specify an additional record, which basically says 'if mails from my domain fail SPF/DKIM checks, do THIS, and then tell me about it THIS way'. There are various ways to specify 'fail', and there are various actions (reject, quarantine, or just notify of the failure), and there are various notification formats (and the notification address is simply a URI). It's elegant and achieves a useful purpose. There's also something named OpenDMARC which helps you with the receiver domain stuff: it includes a sendmail milter you can use to Do The Right Thing (check the DMARC record, mark the mail appropriately for later filtering by procmail or whatever, and notify the sender domain of what you did, according to how the sender domain wants you to do that).

So after a couple of fortifying Steamworks Pale Ales, and a glass of port, I've started working on DMARC. I'll be both publishing a DMARC record for mail from happyassassin and filtering and notifying mail for happyassassin, I hope, but I can't do it yet. DMARC records are supposed to be published as TXT records for the _dmarc subdomain of your domain, and my registrar - noip - doesn't think _dmarc is a valid name for a subdomain. Whoops. So I've filed a ticket with them. Also, OpenDMARC is not in Fedora yet, but happily, I can do something about that - fellow mail masochist Steve Jenkins submitted a review last month, so I picked it up. I hope we'll have the package added soon.

I just love this kind of stuff. It's pretty heavily inside baseball, but it gives me all kinds of warm fuzzies to see smart, creative engineers continuing to improve the systems that their smart, creative forebears built 30+ years ago. The originators of email probably never could have imagined its prevalence today, yet it still ultimately works the same way it always did. It's been extended elegantly, compatibly, unobtrusively and respectfully; and so we have a system that has been adapted for innumerable platforms and purposes over many decades. It might not be as sexy as founding a startup and trying to take over the world, but it's real engineering, damnit. I actually get angry when I read this week's story about The App That's Going To Kill Email. And I secretly dread one of them actually somehow succeeding, though I don't think they will. Yes, if you just want to write a note to someone, you can use Facebook. Or Twitter. Or Google+. But the differences between that and the beautiful, flexible, distributed, open, infinitely adaptable system that is email are real and important and should never be neglected.

Comments

Neil Darlow wrote on 2013-02-22 09:34:
Hi Adam, I'm not sure that you've interpreted the SPF and DKIM specifications fully. If you are definitive in your DNS SPF record and end it with -all then a receiving SPF implementation is permitted to delete any mail not relayed by the permitted relay hosts. For DKIM you can specify an _adsp policy DNS record which instructs receiving DKIM implementations what they should do with failing signatures (discard is an option). The use of +all in a SPF record renders the whole mechanism worthless but it's surprising how many lily-livered mail admins do it and if you're DKIM signing then you should publish an ADSP record also.
adamw wrote on 2013-02-23 01:57:
Hi Neil! You're quite right: in mitigation, I plead that I was simplifying heavily (you know, for my huge audience of generalists who nevertheless pay attention to massive rambling posts about mail administration). I actually intended to include a note to this effect, but cut it out because I thought it looked odd to say I was trying to keep things short in a 2000+ word post :) The DMARC folks argue - I think reasonably - that the policy stuff in SPF isn't very well followed and ADSP isn't widely adopted, and that notification is really important. So DMARC is designed to replace ADSP, and add the notification element. See http://www.dmarc.org/faq.html .
James Cape wrote on 2013-02-24 01:21:
Re: the Pixel (I expect mine to arrive on Monday), I suppose I'm biased because my introduction to Unix was via a SPARC workstation with a few remote-X terminals hanging off of it. The Chromebook is a thin client using HTML5 and JavaScript instead of XCB or RDP. It also has WiFi and/or 4G radios in it. Bitching about not being able to run virtual machines on a Chromebook feels like bitching that there isn't a LISP plugin for freerdp: it's a non-sequitur, because it's just a disconnected display, all your intensive work, storage, etc. happens elsewhere.
adamw wrote on 2013-02-24 01:43:
James: you can look at it that way, sure. But you can also look at it the way I do, as a laptop with a 13" screen and various features that place it in the same class as several other 13" class laptops. I could buy a Dell or an Apple and use it in exactly the same way, after all. Why should the Pixel be exempt from comparative competition just because of a very thin gloss of 'intended use'? I mean, the very specs of the Pixel are essentially an admission that sometimes you have to do stuff locally; otherwise why put a powerful CPU in it? If you want to get all fancy about it, the specs are a classic case of mixed messaging: the storage says 'you don't need performance locally, everything's remote' while the processor says 'you're gonna be doing stuff locally!'
James Cape wrote on 2013-02-24 02:21:
@adamw: Why would I buy the HP t5740 box when a Mac Mini has much better specs and isn't too much more expensive? Why doesn't my desktop have ECC RAM or SAS or a redundant power supply? Why does my server CPU lag a generation behind? Why does a rackmount cost twice as much as a desktop even though it's so much louder and bigger and doesn't include a free monitor and printer? After all, the "max capacity of 384G of RAM, 16 cores, no fixed video card, and 8 SAS bays" scream "super home rig", but the noise and expense say something different. Seriously, "perceived use case" does matter, the fact it looks like a laptop is irrelevant.
Máirín Duffy wrote on 2013-02-25 14:56:
Just for another perspective: Thinkpad is the only option for me and some fellow FLOSS designers as they have the best integrated drawing tablet support in laptops for Linux (so far anyway.) The Dell tablets aren't compatible and the HPs are hard to get working / hit & miss.
adamw wrote on 2013-02-26 06:43:
Hi Mo. Thanks for the note - luckily for the world's art critics, I don't have to draw anything on my laptops :) Did you see the Penny Arcade guy's post on the Surface Pro? Looked kinda interesting, even if it is, you know, Microsoft hardware...http://www.penny-arcade.com/2013/02/25/the-ms-surface-pro
adamw wrote on 2013-02-26 06:44:
James: I don't accept that those things are appropriate analogies. The Pixel is, basically, a laptop. I can buy any other laptop and use it like a Pixel...*and use it in other ways too*. I can't use a Mac Mini like a t5740. The Verge review seems to make much the same point...