Pictures are here.

We had breakfast at the B&B with the two adorable labradors Molly & Jess, then headed for the train station to put our bags in the lockers there. Unfortunately, the lockers didn’t open until 10:30, and there was a tour we wanted to join at 10:30. We went to the tourist office to see if they have left luggage lockers as well. They didn’t open until 10. But the same tour company that would be conducting our tour had an earlier pickup for a different tour and we asked him if it’d be OK to leave our large bags on the bus and he said it wouldn’t be a problem. So we hung around until 10 and bought our tour tickets for the 10:30 Loch Ness cruise.

Since the bus picked up at the tourist info centre, we waited around some more. The driver let us put our big bags below the bus, and we were off. We drove down to a point on the north side of the loch, where we got on the boat to cruise to Urquhart Castle. It was originally a small fort on a hill out on a point near the loch, and was then expanded upon until it was a residence with a chapel and a large tower overlooking the loch. We got to spend about an hour at the castle ruins, going up into the tower and down into the storerooms.

Then we hopped onto the bus and headed to the Loch Ness Exhibit Centre, where we saw the history of Nessie sightings and what has been done to search for the monster. It was a very interesting, if somewhat cheesy exhibition.

Finally, back to Inverness where we checked with the tourist information center about Orkney and put our bags in the train station lockers and headed to the hostel to see about changing our jump-on/jump-off reservations. We weren’t able to get up to Orkney with any reasonable time – even if we drove, so we decided to spend more time on Skye instead. Unfortunately, there was no room for us on the bus, so we decided to take the train instead. So we made a few phone calls, and made sure we could still have a place to sleep and booked our tickets.

We went to Johnny Fox’s for a late lunch, and I had venison. It wasn’t as good as I remember my mom making it, but it was good. Brian tried a Guinness Pie.

After dinner, we jumped on the train to Culrain, where we walked uphill to Carbisdale Castle. The castle was a bit of a disappointment, and we had to have our bags out of the hostel by 2:30 because a school group was checking in. We settle in for the night, planning on catching the earlier train.

So, Brian has agreed to think about learning to dance for the wedding, and we had talked about finding some good video game music to dance to. I think I have found the perfect one My favorite dance is the Viennese Waltz, and so while looking online for some decent music, I found Waltz for the Moon from Final Fantasy 8. It’s not an easy waltz to dance to because it’s fast and has several places where the music breaks beat, but I think Brian can do it with practice. And if he’s feeling brave, I’m sure we could figure out the moves from the FMV and have a pre-choreographed dance

All I’ll say about it is that I enjoyed it, but there were a few things that I wish she had covered, as in what happened to certain people. If you want to discuss details, find me on AIM/Jabber or IRC

The new mail server is up and running and is acting as the primary MX for my domain. I’m going to leave my old server up as the secondary MX just in case, but the server passed all the tests I gave it. I have Exim and Cyrus working together with SpamAssassin and ClamAV to deliver mail to virtual domains. The server is currently handling mail for three domains (elwing.org and two others) with alias files for each domain. So, postmaster at domain1.tld and postmaster at domain2.tld can be different. (They’re all pointing to my account at the moment, but they don’t have to be!)

I pretty much used my old configuration file with a few tweaks to tell exim how to deal with virtual aliases. Cyrus handles virtual domains out of the box (2.2+), but the concept of a global admin doesn’t exist when you’re using PAM as an authentication method. And the PAM file looks a lot like user@domain:password. When trying to log into cyrus as the global admin user, saslauthd would think that the realm was org (the machine’s name is elwing.org, so I’m guessing it came from there), and 1) I couldn’t log in because I didn’t have an entry in the password file for it, and two, I wasn’t the global admin. It’s a little annoying that I have to have multiple admin accounts, but as I’m working on writing scripts for user maintenance, it’s not that big of a deal.

If you send me e-mail to elwing.org and it bounces, please forward the full response (and headers if you can) to my gmail account (elwing) and I’ll debug it. Thanks!

I’ve *finally* discovered why my IMAP server no longer likes my self-signed certificates. The certificates are just fine. Cyrus is just fine. It’s OpenSSL that’s the problem – Bug 1513 to be exact.

The error messages, for anyone searching:

Jul 18 22:00:22 server imaps[71643]: TLS server engine: cannot load CA data
Jul 18 22:00:22 server imaps[71643]: unable to get certificate from ‘/usr/local/
etc/imap.crt’
Jul 18 22:00:22 server imaps[71643]: unable to get certificate from ‘/usr/local/
etc/imap.crt’
Jul 18 22:00:22 server imaps[71643]: TLS server engine: cannot load cert/key dat
a
Jul 18 22:00:22 server imaps[71643]: TLS server engine: cannot load cert/key dat
a
Jul 18 22:00:22 server imaps[71643]: error initializing TLS
Jul 18 22:00:22 server imaps[71643]: error initializing TLS
Jul 18 22:00:22 server imaps[71643]: Fatal error: tls_init() failed

Cyrus calls SSL_CTX_use_certificate_chain_file() to read in the certificate file, but in my case, since I don’t have CA data set, an earlier function returns an error, so the SSL_CTX_use_certificate_chain_file() function also returns an error, even though the certificate and key are just fine.

I wrote a small patch for FreeBSD 6.2, but the basic idea is go into imap/tls.c, search for SSL_CTX_use_certificate_chain_file() – it’s inside set_cert_stuff(). On the line immediately previous to the SSL_CTX_use_certificate_chain_file() call, add ERR_clear_error();

That’s it! You should now be able to use TLS.

Caveat: Use this patch at your own risk, I am not responsible for anything that happens to your system if you use it and it doesn’t work for you. I know this is not the best solution in the world, but it’s a decent workaround until the OpenSSL guys can get their act together.