Tech in a Galagzee, Not So Far Away.
Rants
Blowing off steam.
Adding graphics, comments to PDFs
Mar 5th
I needed to fill out a PDF document today, date it, and sign it. It took me a good hour to accomplish the task as while the latest incarnation of Acrobat has custom stamp feature, annotated text doesn’t print by default (I also wanted to avoid having to print out the document only to scan it back in). In fact, I found no way to print text annotations. Whether “Documents and Stamps” was selected in the Print properties or not, the text annotations would remain missing from the printout. It should not be this difficult to add a text box to a PDF document and then flatten it to be part of the document, and not an annotation per se.
After some more Googling later I happened on this page that outlines a simple way to add “flatten” options to the Acrobat document menu. The associated script to be placed in “Program Files/Adobe/Acrobat 9.0/Acrobat/Javascripts/” folder (the script works with older Acrobat versions, too, as the mentioned instructions are for Acrobat 7.0) is just two lines long:
| | | copy code | | ? |
| 1 | |
| 2 | app.addMenuItem({ cName: "Flatten page", cParent: "Document", cExec: "flattenPages(this.pageNum)",cEnable: 1, nPos: 16}); |
| 3 | app.addMenuItem({ cName: "Flatten document", cParent: "Document", cExec: "flattenPages()",cEnable: 1, nPos: 17}); |
| 4 |
With the above script installed, the task was a snap: I added my signature from a transparent PNG as a custom stamp, added the text annotations, and then flattened the document. Done! Now the annotations print out as they should (whether or not “Documents and Stamps” is selected in the Print properties as now the annotations are part of the ‘base’ document). I can’t imagine why Adobe doesn’t include “flatten” as a default feature!
Fusemail auto-suspends spam-suspect accounts!
May 3rd
My troubles with Fusemail were caused by automated outbound spam filtering system Fusemail utilizes! Fusemail filters all outbound email for spam and when their system thinks an email you’re sending is spam, it incredibly deactivates your account, automatically! According to their tech support (who finally returned my call 15 hours later) the block from a suspected spammer account is removed usually very quickly, and in case of my yesterday’s troubles the block removal, somehow, slipped through the cracks.
Once the account was reactivated, I tried re-sending the email that triggered the trouble, and sure enough, the account became blocked again! This time it was unblocked within minutes, but what’s concerning is that it’s just a standard business email with few paragraphs of text, a bulleted list, and few domain names mentioned. I also sent it to an internal distribution list that I had defined in Fusemail. No external recipients.
So, basically, it seems I’m not allowed to send this email because the email is rejected before it’s sent, and then my account becomes blocked until they unblock it. What an incredibly, incredibly stupid way of operating an email gateway service!! Because any outbound message that you send can be considered spam and thus lead to the automated account suspension—and if you run a spam filter you know that ‘good’ emails get trapped in the spam filter now and then while an occasional spam mail gets through—Fusemail can in a business setting be only considered a mail RECEIVING service. Imagine sending a completely innocuous email in the middle of a busy day, and your account becomes suspended if their automated filtering system deems your email spam! Perhaps they’ll unblock it in a few minutes, but how many inbound messages bounce during that time? Or, like in my case, you send an email on Saturday evening and your account is suspended until the next morning — both for sending and receiving.
It is reasonable for a mail service provider to monitor outbound mail for spam to prevent abuse of their systems. But rather than having an automated system block accounts on its own, it should absolutely work in reverse where potential spammer accounts would be flagged for suspension, and then a technician would assess whether the user was indeed sending spam. My guess is that false positives occur way more often than actual spammers being shut down; and besides, it’s much less of a problem if a spammer get few messages out before being shut down than legitimate users being shut down on suspicion. Otherwise, like in the case of my email that triggered the trouble, I can never send the message without reformatting it (or, perhaps, sending it individually to all intended recipients). For all I care I should be able to send GTUBE message through the system without it getting blocked. I’m not sending spam.
Fusemail is still a reasonably good solution for receiving mail; it has integrated spam-filter even with an optional sender confirmation, and there is [supposedly] reasonable amount of redundancy so mail reception for multiple accounts is more stable than, say, running an internal singular mail server.
But for outbound email I will be setting up an internal SMTP server. I can’t risk an outbound email disabling mail reception for an unknown period of time. If you’re considering Fusemail, then consider running Postfix on *NIX, or perhaps some simple Windows SMTP server like Corporate SMTP Server locally for outbound mail.
Fusemail, this sucks! Fix it!
Fusemail, strike one
May 3rd
Over last several weeks I’ve gradually externalized both my own and my employer’s mail systems from internal servers to an outsourced service. My own mail has been running for years on qmail on FreeBSD. It’s worked well, but the age of my own server has become a growing concern, and in general in event of a system failure mail would not flow – that’s not good, and nobody’s going to fix it if I’m out of town. So paying couple of bucks per month per mailbox is—at least in theory—worth it to not have to stress over mail system (even though I’ve found Postfix/Dovecot really interesting and actually quite pleasant to configure.. I was going to move the qmail system to Postfix before I started thinking about outsourcing the whole thing to save time).
Meanwhile, my employer’s email has been running on Exchange for several years, starting preceding my time with the company. It has been a grief, though I’m sure it’s partially due to the fact that the the mail server is also the domain controller of a small office LAN. But why should it be? Qmail or Postfix run quite well on a Linux/*BSD server with Apache, MySQL, BIND. So I’ve been looking forward getting rid of Exchange, and migrating to Postfix/Dovecot system until, again, I started thinking that perhaps it’s not worth the stress to run an internal mail server. I’m the only person tending to it and, say, if I’m on a vacation and the mail goes down, it would not be good.
Once I started considering outsourcing email an option, I started evaluating various services. Fusemail and Mailtrust quickly bubbled to the top. Fusemail has more features, and the deciding factors (in Fusemail’s favor) were the ability to adjust the spam filtering (Mailtrust only has “on” or “off” options which is a bit scary — if the filtering is too stringent or too lenient, there’d be nothing that could be done about it.. Mailtrust’s rep suggested that I might want to look into an external spam filtering solution if I wanted more control.. but no thanks; I had been running Katharion for mail filtering for several months which worked ok, but if I was going to outsource the mail, I wanted an integrated solution), and the ability to increase a mailbox allocation for an individual user by purchasing more user accounts and allocating their mailbox allowance to the existing users. Mailtrust is fixed to 10Gb.
On the web there is about 50/50 comments for and against the quality of support for both Fusemail and Mailtrust, so from the comments alone it was impossible to deduce which service would have better support. Pre-sales support was slightly better on Fusemail side, and the few quirks ran across during setup have been addressed satisfactorily.
Strike One
Tonight (Saturday evening) around 18:00 my user account under my employer’s master account suddenly disappeared. I access mail from Outlook via IMAP, and suddenly Outlook prompted for the account password. So I logged in to Fusemail admin account and clicked on my user name. [Paraphrasing] “Cannot edit terminated user account”. What?! To terminate a user account in Fusemail you have to check the checkbox next to the user name, click “Terminate”, check another checkbox (“yes, I’m sure I want to do that”), and then click on “Yes”. Only then does a user account get removed, or scheduled for deletion as it takes many, many hours for the username actually be purged from the system so that it can be taken into use again. I most certainly did not execute those steps. I’m the only one with access to that admin account, and the password is sufficiently complex so that it’s very unlikely the account would’ve been compromised. This leaves system error as the most likely cause. I called the emergency support around 18:30 and left a message (they claim to have someone on call), then again again around 20:00, and also opened an “Urgent” support ticket through their support system at 22:40. It’s now over six hours since my first “emergency” support request, so I can only assume the on-call person has gone to party (or that they don’t have an on-call tech in the first place). The emergency support number instructs the caller that “while the support technician is not immediately available, it does not mean that support would not be available immediately”. It’s looking like they were wrong.
I didn’t lose a tremendous amount of email (and perhaps Fusemail can restore it), but during this downtime emails to my account which has multiple “admin” aliases are being rejected. If I was running my own mail server I could obviously have fixed a problem already, but an outsourced solution is supposed to *reduce* system management stress.
Longevity of this outsourcing attempt depends largely on how Fusemail will deal with this situation. Having to reconfigure my user account and its associated aliases would be annoying, but more than restore I want to know what caused the problem, can they be sure to prevent it from recurring, and what’s the deal with the non-existent emergency support.
If the deleted account would’ve been that of the CEO of my employer, or my personal primary account (which I have also outsourced to Fusemail in a separate account), this first strike would’ve likely been also the last for Fusemail.
–
Couple of considerations for those who’re comparing, say, Fusemail and Mailtrust, or considering mail outsourcing in the first place:
- Forward/distribution management is currently better implemented in Mailtrust. It’s workable in Fusemail, but it’s more straightforward in Mailtrust. If this is an important feature to you, pay attention when you’re comparing the services.
- Secure connections (SMTP, IMAP, POP) work better with Mailtrust than with Fusemail. Fusemail is supposedly looking into this. Not a huge issue for me since the SMTP traffic is generally not encrypted anyway, so encrypting the last leg (from the service to the client) isn’t very significant.
- Fusemail’s IMAP is not blazingly fast even when accessed from a fast net connection. Same goes occasionally for their web client. They are, however, generally within acceptable limits.
- A general comment if you’re using SPF: when you use a service provider’s SMTP servers you can’t positively lock down who’s authorized to send mail for your domain. If someone who’s hosting their mail at Fusemail decides to send spam spoofing one of my domains, they’ll appear as authorized for the recipient’s spam filter since I’ve authorized Fusemail’s SMTP servers in my domains’ SPF records.
- Test (!) the support of different providers by sending them a support request on Saturday evening. See when you get a response. Fusemail claims on their website: “24x7x365 Support”, but I’m now finding that it is not completely solid; it should instead read: “You can leave us a message 24x7x365″.
- If you don’t have large number of users to support and they use IMAP to access the remote email, consider setting up backup mailboxes at gmail (free!), and creating a mail rule (available at least in Fusemail) which automatically copies those backup mailboxes for all inbound email.
Cross-browser insanity!
Apr 6th
I’ve been working on couple web-projects for last couple of months, doing more intense web-development than for some time (my work takes me sometimes to the system side, even to hardware, and then back again to the application level). This time I’ve had the pleasure to work on a design that has to work on all grade A browsers, and also support the evil IE6 as something like 20-30% of the demographics of the users of the site still use that browser. Most of such users are likely locked in by a standard corporate desktop or another.
I have been developing the site for FireFox 3.x and IE7, switching back and forth while using the excellent Stylizer (of which a new version was just released, btw) to make sure the layout works in both. Then creating exceptions for IE6 and Safari as needed. The new fun thing is IE8. Not only is IE8′s “IE7 compatibility mode” not 100% IE7, but the way the browser renders pages also depends on what operating system it’s run on. IE8 in IE7 compatibility mode on Vista looks different than IE8 in IE7 compatibility mode on Windows XP! So, in essence, IE8 introduced four (or more!) new browsers to compensate for!
There is a reason for why Google’s home-page has so simple design: it’s the only way to ensure the page looks the same and doesn’t melt down regardless of what browser on whatever platform is used to view it!
We have long since passed a point where it’s reasonable for an individual web-developer to write a more complex site that reliably looks more or less the same regardless of the browser, or a platform. Different strategies must be adopted to overcome the problem. For one, I’ll be using a back-end browser/platform detection script for all future projects. It’ll make it fairly straightforward and reliable to serve corrective stylesheets that override the defaults in “global.css” for the browsers/platforms that need correcting. Attempting to correct for IE8′s different modes, or Safari’s different versions in JavaScript is enough to drive anyone mad. Perhaps the only good thing about IE8′s arrival is that it will finally force IE6 into obsolescence (I rather take IE8′s shaky modes than IE6!)
I’m also increasingly leaning toward Flex RIAs for most any purpose. With Flex/Flash apps the user either sees the application or doesn’t — and the design will always look the same, regardless of the browser or the platform used to view it.
On the web it’s obviously impossible to enforce regulations for how the browsers should or should not function, but from a developer’s point of view it would be great if the browsers would need to be certified to meet fairly tough W3C compliance standards and anyone using a non-certified browsers would be SOL (and moreover, nobody would scorn at—or be surprised about—the lack of a site’s support for the non-certified browsers).
Microsoft Server Products are bad for business!
Nov 12th
I have been using various Windows Server platforms for a good decade now. I’m not a MCSE, but I know my way fairly well around Windows 2000 and 2003. Yet I’ve never been able to completely shed the feeling of looking for a needle in a haystack when something goes seriously wrong and Windows gives an error message such as: “Error code 00000050, parameter1 a04bd7e8, parameter2 00000000, parameter3 8089c425, parameter4 00000000″ in the System Log as the reason for mysterious, repeated reboots. Perhaps if I were a MCSE I would know how to go about debugging such a problem in a more methodical fashion than the “shot-in-the-dark-debugging” I often have to employ in such situations, and thus reach a conclusion (and a fix) in a reasonable amount of time. But maybe it would take just as much effort, MCSE or not; the Windows Server products keep the administrator at an arm’s length when it comes to divulging their inner workings, or at least they seem to run any diagnostic information through an obsfuscator of some kind. Oftentimes having a good reference library and good web mining skills aren’t enough and the only remaining option is to contact the support – which costs money.
Microsoft also often recommends against running various functions (mail, database, directory controller to name a few) on a single server, no matter how small the environment. Domain Controller should have its own box. So should SQL Server, and (of course) Exchange. And the web server often doesn’t run well in a box with any of the above. Naturally you need an operating system license for all of the servers with dedicated functionality. A SQL Server license costs about $6,000 (per CPU). Exchange starts from about $1,100 for five users, etc. Why does anyone want to pay such high prices when better (more powerful, simpler to maintain) options exist? Support! But if you chose an open source alternative (such as, for example, FreeBSD or Linux for the operating system, MySQL for database, Apache for web server, Postfix for mail server…) you wouldn’t need support nearly as often, assuming you have an equally competent administrator for both environments.
My latest harrowing experience with Microsoft Server products was with Exchange 2003 Standard. I was faced with a server reinstall. The server is also a DC, and realizing the potential unexpected interactions between the various components I did a fair amount of research before starting the reinstall. Alas, this did not help. Exchange’s web access bombed completely even though the install was technically “clean” and the different components were carefully installed in the recommended order, and patched to the current patch levels.
I ended up blowing OWA2003 away, redirecting webmail to a FreeBSD server, and setting up Squirrelmail via IMAP to Exchange which worked right off the bat without any messy configuration issues with ASP.NET accounts. And the users have a more versatile web-mail interface than what OWA2003 would’ve offered.
As a result of this experience I’ve decided to move the LAN in question away from Exchange — into Postfix on FreeBSD. And yes, the same UNIX server will also handle intranet web, MySQL databases and external domain DNS services (for DNS there will be a secondary elsewhere) with little effort. It also says something about Exchange that the lengthy list of Postfix’s configuration parameters feels very straightforward when compared to Exchange’s configuration (having used both products now for several years). Postfix’s numerous configuration options give a very fine-grained control over how the MTA should function. If something goes wrong, Postfix (and Dovecot which I’ll use for IMAP/POP interface) tells you what’s wrong. And should I be totally stumped, Postfix’s excellent support community (mailing list) provides almost instantaneous solutions to even the most complex questions.
It is quite apparent that Microsoft is targeting Exchange primarily to large corporations considering that the production version of Exchange 2007 only runs on 64-bit Windows servers. Such organizations can also afford to throw money around for “Exchange administrators” whose whole job is to maintain the mail server. Perhaps it’s not wasted money, large organizations often have complex enough mail systems so that dedicated individuals or even teams are necessary. But when implementing Exchange in a smaller environment—except for perhaps the wizard-driven SMB-version (which keeps the admins at broomstick’s length away)—the heavier demand for Exchange management is still there even though the mail volume is lower. Small and medium-size organizations can save incredible amounts of money in license fees and in hardware investments simply by choosing Open Source software that will do the job in most cases much better than Microsoft’s Server Products. I would venture to say that Postfix, for example, offers more detailed control over how the mail is processed than Exchange while at the same time offering lower management complexity, a lot more power, and less need for ongoing maintenance.
Going forward, I will be recommending a mixed solution for the SMBs: Windows desktops (XP, for now) with Windows domain to centralize logins and to facilitate file sharing. That takes two Windows servers for most SMB LAN environments (one generally suffices performance-wise, but a second system is recommended for AD backup and it also functions as a backup server in case the primary server fails. For mail, database, ftp, LDAP, external DNS, and web, however, I’m recommending UNIX servers. My personal preference is FreeBSD, but Linux will work just as well. Again, perhaps two servers which can share and mirror operations under normal circumstances and function as backup for each other in event of a hardware failure. Total of four boxes (or two if cost is a concern and an outage stemming from a system failure isn’t devastating to the business) configured as described will create a very versatile system with a high degree of stability.
I end this post with two, somewhat connected observations: First, externalizing spam filtering is a good idea. Katharion provides excellent functionality, and around the end of the year they will also include webmail access to users’ email which is cached for thirty days. This doubles as a backup mail service for internal SMB mail servers. I’ll write more about Katharion in a future post.
Second, it may be time to ditch Outlook as well. Why doesn’t Outlook 2007 provide secure IMAP connections?! If team calendaring is not needed, Thunderbird looks like a much better choice (and even if calendaring and contacts are needed, they can be implemented with other available products).
Edit: Outlook 2007 does offer TLS for IMAP connections (Tools > Account Settings > [select profile] > Change > More Settings > Advanced > Use the following type of encrypted connection: [None/SSL/TLS/Auto]). Unfortunately, Thunderbird continues to have a number of issues, not least of which is the somewhat clumsy and aged-looking GUI which makes the program less flexible and comfortable to use than Outlook. Outlook’s superiority isn’t completely unexpected: while I maintain that Microsoft Server Products are overpriced, underperforming resource-hungry bloatware, I also recognize that their desktop software is pretty good (excluding Vista.. I really hope they get it right with Windows 7). The Office Suite is very well designed, and VisualStudio is a stellar development tool. Now if MS fixed the HTML rendering problem in Outlook 2007…
To recap: Windows for the desktop, domain controller (obviously), and for Windows LAN file sharing. UNIX for mail, database, web, DNS and other applications requiring good performance, configurability and security on the internet.