14.6kW Solar Array

So this past summer we decided to take the leap and build a large solar array in our backyard. Nearly 5 months later (after engineer planning, trenching, racking, electrical work, inspections, and new meters) we are now producing more power than we are using.

Inverters: SMA 7000tl-US (x2)

Panels: CSUN305-72P (x48)

Estimate Annual Generation capacity: 22,713 kWh per year

To see how we are currently doing:

Clodfelter Solar Farm on pvoutput.org

https://emoncms.org/vis/multigraph?mid=12110&embed=1

Sprinkler Controller Recommendations in Drought Regions

In much of the Western US, we have been dealing with a drought, and in dessert regions that rely heavily on irrigated water supplies by Irrigation districts. One such district (Kennewick Irrigation District www.kid.org) will be enforcing a Weekly mixed AM/PM schedule to a majority of its customers based on the last digit of the address number.

Here is the Water schedule KID will be enforcing starting May 31st:

The enforcement schedule is as follows:

1.    Enforcement of water availability schedule:
a.    1st and 2nd offense of watering on any day other than assigned, warning issued to property owner;
b.    3rd  offense of watering on any day other than assigned will be charged a $100.00 penalty and valve locked off for seven calendar days;
c.    4th offense of watering on any day other than assigned will be charged a $100.00 penalty to property owner and water locked off for remainder of season;
2.    Tampering with lock:
a.    Removal of lock by any person other than an authorized KID employee will result in a $500.00 charge payable prior to water service being reestablished.
b.    2nd offense will result in the irrigation service being capped for the remainder of the season with the District seeking prosecution with the county prosecutor for tampering with a public facility.
3.    Appeals:
a.    All charges may be appealed during the annual Board of Equalization.
b.    A landowner may appeal a lock off or capping of a turn out to the Board of Directors.

Problem this schedule poses for some automated controllers:

Some of the reasons property/home owners invest in underground sprinkler systems, are to have green lawns, automation, and because it is required by local associations governments. There are a couple issues with the enforced watering schedule, which may require a change of your controller. One some controllers do not allow you to select time of the day (just how many times a day you want to water), and many controllers only allow you to run one schedule per day. If you have a house number that ends with 3,4,6,7,8 or 9 you will want a good controller. You don’t have to break the bank to get one they start at $21, much cheaper then $100 fine and loosing your irrigation water for the season along with your grass.

Rain Bird SST400I/SST600I/SST900I/SST1200I and outdoor versions- (Warning only works with 1, 2, 5, or 8 schedules)  I Do Not Recommend these timers very limited scheduling.

This and similar versions only allow you to schedule the day, first start time, interval, and how many times a day. From personal experience it is easy but not flexible enough to meet the schedule requirements by KID. If you are lucky enough to have either a (house number ending with) 1,2, 5 or 8 watering schedule you can make this work by selecting the required days, set start time in AM or PM time that will finish all zones, 30 minute interval – Important, and only set it to water each zone once. If you select more then once per day to water with this controller you will be violating the scheduled time. This controller will not work for Mixed AM/PM schedules.

Indoor Orbit Controller (Cheapest Option for 4/6 zones $21/$25)

A/B Schedule 8 watering times – weekly schedules – you can run both A and B Schedules. This is perfect for the more advanced 3,4,6,7,8 or 9 watering schedules posted above. I recommend setting A to your AM scheduled day, and B to your PM scheduled day. Make sure your timer is set to auto and both A and B schedules are activated.

4 – Zone – http://www.lowes.com/pd_50605-74985-28954___?productId=3506632&pl=1&Ntt=sprinkler+controllers

6 – Zone – http://www.lowes.com/pd_50606-74985-28956___?productId=3506634&pl=1&Ntt=sprinkler+controllers

Indoor/Outdoor Orbit Controller

A/B Schedule 8 watering times – weekly schedules – you can run both A and B Schedules. This is perfect for the more advanced 3,4,6,7,8 or 9 watering schedules posted above. I recommend setting A to your AM scheduled day, and B to your PM scheduled day. Make sure your timer is set to auto and both A and B schedules are activated. You can purchase here: http://amzn.to/1SxmJPl  (select 4, 6, 9, or 12 zone option)

For those of you with the Lowes Iris Home Automation System:

This one is the same as the 12-Station indoor/outdoor above, only that it can be paired with your Iris Controller and managed from your computer/smartphone/tablet.
http://www.lowes.com/pd_587056-74985-27396___?productId=50134682&pl=1&Ntt=sprinkler+controllers

TLS over SMTP – How to protect your email from prying eyes on the internet

Those who have worked with email servers should know what SMTP is but many do not understand what TLS has to do with it. It is even more amazing how many people don’t realize that e-mail is worse then a postcard written in pencil. It is in clear text easy to read, modify, and pretend to be someone else to get what you want.

My last post on DMARC, SPF, and DKIM would help protect many people from receiving emails pretending to be from your domain, sometimes called email spoofing or phishing. This post will focus on options to keep those prying eyes from seeing emails sent from your domain by encrypting the connections between the receiving and sending domain email gateways using TLS.

Think of TLS to SMTP as what SSl or HTTPS is to HTTP. Except one difference, TLS can happen on the same port as SMTP. So how do we ensure that the receiver does not revert back to cleartext? Well we create policies to cover the receivers we want to send mail to to ensure they are forced to receive using TLS or the email fails.

So the first thing to do is to check if TLS is enabled on your SMTP server. Best and quickest way to do this is to use the SMTP testing tool at mxtoolbox.com. You can check yours and anyone you what to send emails too.

Next if you don’t have TLS, you can generate a self-signed or better yet get a inexpensive Public CA signed SSL certificate from RapidSSL. Then setup your gateway or exchange server to use TLS for its interfaces and mailflows.

Now who do you ensure that mail is sent TLS, and if it can’t be sent TLS and you still want it to get your message through securely? Here is where one could create another smart-host or gateway, that also acts as a secure ad-hoc webmail server as needed. If the server can connect via TLS it send that message through also letting the sender know that it was delivered, and possibly read securely and letting the receiver know that they are receiving a secure mail via TLS.

If for some reason TLS fails the message is hosted on the webmail server, and a registration and seporate notification that a secure email is awaiting the receiver on the senders web server. The user registers somehow and picks up the message. The sender is then notified that the message has been received.

There are probably products out there that do this. They are expensive, but this is not really rocket science. I’ll post back if I find an easy open source solution to this problem.

But if you just enable TLS you are making huge strides to protecting your sensitive emails, and even consumer email such as Google Gmail defaults to TLS.

How to fight SPAM, Phishing and Protect Your Brand Name – beyond blacklists

Sounds a little off topic, but I was amazed at the glazed eyes from Marketing when I tell them their e-mails might be marked as spam by some of the most popular consumer email hosters. Basically when they use try to use an email service and send as a SPF, DKIM, and DMARC configured domain, their e-mails are rejected. At this point some of you might be wondering what I’m talking about. Basically these standards are used to help receiving email gateways verify that the email actually came from the legitimate sending gateway via DNS records and signing keys. It also allows the sender to have some say on how the receiving organization should respond to offending e-mails, such as let them through or to reject them. The topic sounds more complex then it is but I will show you the steps to get started and share some of the tools that helped me to incorporate DMARC, SPF, and DKIM in less then a day.

Lets start with DMARC. You can find more information on DMARC here http://www.dmarc.org. I recommend starting with DMARC in a testing mode as it will tell all receiving domains to send you DMARC reports on al e-mail that appears to be coming from your domain. These reports are mainly XML files but you can also request some of the domains to send you a copy of the actual offedning e-mail. Reading XML files can be fun but these files can be hudge depending on the volume of emails, so I recommend using a service such as http://dmarcian.com which is cheap or free. This service will break these reports down into actionable data. After you create an account with dmarcian, they will give you an e-mail address. You can use this e-mail address in you DNS TXT record. If you want to receive the forensics e-mails be sure to create an e-mail on the domain you are monitoring so you can have these sent to you.

You will need to create a DNS TXT DMARC record for your domain. This record will not be an A record but a TXT one named _dmarc.yourdomain.com. for example in the Godaddy DNS Manager you will create a record _dmarc under the TXT section. in the value your will enter the following

v=DMARC1; p=none; pct=5; rua=mailto:Yourcode@tdf1noj0@ag.dmarcian.com; ruf=mailto:dmarc-ruf@yourdomain.com;

v= is the version
p= tells the receiver to take no action at this time, that this domain is in testing (it is recommended to start here)
pct= the percent of messages to apply the rule to, you can start this number small and work your way up. It is best practice as you change “p=” to a stronger policy that you start pct= to a lower value and work your way up to 100 a week or so at a time. This will help you to lock down your domain emails while still avoiding as many false positives as you can.

rua= the e-mail dmarcian created for you, this will allow them to create reports based on the hundreds and thousands of emails being sent. This is mainly just IP, pass, fail , and domain informaiton no actual emails.

ruf= the mailbox you created this should be on the same domain, unless you create a special third-party record on the receiving agagate domain.

After you set this up wait a week collect data, log into DMARCIAN.com and see who else is sending e-mails as you, what countries they are coming from. Could they be targeting your customers or members? Or is it a vendor that does business on behalf of you. This is the type of informaiton that will protect you from loosing mail and monitoring your efforts along the way.

The next step is to create a simple SPF record. This Sender Polcy Framework DNS record or SPF is used to identify all the IPs that are allow to send e-mails as your domain, and what to do with those that are not on the list. The trick here is the same start with your sending e-mail gateways, if you have just one or two list just their IP addresses. The main limit here is the size of the TXT record and staying under 10 DNS queries. You can have multiple SPF records included and chain them together. You can even include records from another domain. Start simple first.

Before you post your record goto http://www.kitterman.com/spf/validate.html, and in the bottom form called Test an SPF record you will enter in the IP address of the sending email gateway, SPF record, and a test email such as test@yourdomain.com. This e-mail does not need to exist it will just check your record and see if it passes or fails.

The SPF record is also a TXT type DNS record, it has no name. This means in some DNS managers you give it the name of @

If you have a domain that should not send e-mail your should use this spf record:

v=spf1 -all

This tells receivers to reject all e-mails from this domain. Don’t use it on your sending domains instead use:

v=spf1 ip4:123.123.123.11 ip4:123.123.123.10 include:icpbounce.com ~all

You can use ip4 for IPv4 addresses and ip6 for IPv6 addresses, you can also use mx to include all your mx records but recommend using IPs when ever possible to avoid the DNS limitations. includes are handy if you send e-mails through other vendors as your domain. That way their SPF record is simply included into your record. They have to have an SPF record for this to work. Once you have an SPF record wait a little bit and use the SPF surveyor tool in DMARCIAN.com to get some feedback about your record.

Also you can test your record by sending an e-mail from check-auth@verifier.port25.com you should get a reply with the SPF section passing.

You will want to monitor your DMARCIAN account to ensure you are covering your vendors and yourself who send as your domain. This may require some investigation of domains and IPs. I recommend using robtex.com to get all of this in one tool. or just doing a Whois. Sometimes multiple domains will be associated to the same IP.

What you will notice DKIM is failing at this point. So what is DKIM. Well my friend, DKIM builds on domainkey as a way for email gateways to sign e-mail with a private key as it is sent out, then the receiving domain can compair the signature and ensure the email was not modified by checking the public key published in the sending domains DNS. Sounds simple now lets get started.

If you use an e-mail spam appliance that supports DKIM have it create a DKIM key pair I recommend 1024 bit size, I found the larger keys did not work for me. If you don’t have a gateway and just have exchange, I recommend building a linux server to act as your gateway or smarthost. Such as dkimproxy.sourceforge.net. Follow the instructions for creating the key and applying to your mailflow.

At this point when you send your check e-mail it should still fail but you’ll notice that it is signed. You now need to pubish your DKIM public key to your DNS. You will need to copy the “public” key from your gateway. You will create a TXT record called yourselector._domainkey.yourdomain.com. You will have a DKIM key publish for each gateway you are authorizing to send keys as you. in the value you will enter in the DKIM key as produced by your gateway.
Something like: v=DKIM1; p=;

Also be sure to create a TXT DNS record called _domainkey.yourdomain.com with the value of: t=y; this will tell everyone that you are in testing, and to still accept unsigned messages. You can change or remove this value as you are more confident that all email is being signed. Wait a little then check your DKIM key on DMACIAN.com, they have a link to a tool that will make sure the public key is valid. Send a few test e-mails. Kepp in mind it can take some time for DNS records to change or kick in.

Now you should see your messages pass DMARC, SPF, and DKIM. You may see others that need assistance, such as vendors you work with. So the easy part is to slowly rasie your policy until your at 100 percent, and are telling everyone to reject those other spam or phishing e-mails. You will need to ensure that you maintain your records and work with your new vendors. As this is controlled in DNS, you can even change your policies temporarly on the fly just keep in mind DNS propegation.

Thank you for reading hope you find this useful.

_

VBS Script to add Lync Contacts to all users who are a member of a Group

This is based off and extends the LyncAddContacts.vbs script found here: http://www.expta.com/2011/01/introducing-lyncaddcontacts.html

After much searching on the web I was unable to find a script to meet my needs with Lync, so I put this together and cleaned it up a bit. This of course requires the LyncAddContacts script with the dbimpexp.exe tool pulled from the Lync install DVD or iso. You will also need a template user (which can be created with a mailbox, account hidden from exchange addressbook, and account diabled after adding all the contacts and groups to the Lync). You will also need to run and probably schedule task this with an account that has all the permissions needed to pull export and import contacts for your lync users.

To use this script place in same directory as your other scripts on the Lync server and change the 3 const variables located near the top of the script. Enjoy

Update: I changed the script a little, turns out I should not use a @ symbol in a string so I replaced it with chr(64). Also another gottcha I ran into was that run in path needs to be your scripts folder with exe and both vbs scripts if you are using the task scheduler. Also this can be resource intensive as it updates all the users directly through SQL. So ether adjust your resources acordingly or only run this during early morning or late evenings.

'LyncAddContactGroups.vbs
'Script Used to import Contact Groups to all users in Lyncmplate
'Author: Paul Cardelli
'Date last Modified: 3/17/12
'-------------------------------------------------------------------------
 Option Explicit
 Dim objRootDSE, strDomain, objGroup, objUser, WShell, arrMemberOf, strMember, strSIPTemplate

 strSIPTemplate = "LyncTemplateUser" & Chr(64) & "domain.com"
 Const strGroupCN = "LDAP://CN=All Users,ou=User Groups,"
 Const strLyncScriptPath = "d:\Scripts\"

 Set WShell = WScript.CreateObject("Wscript.Shell")

 WShell.Run "cscript " & strLyncScriptPath & "LyncAddContacts.vbs /backup backup.xml", 0, False
 WShell.Run "cscript " & strLyncScriptPath & "LyncAddContacts.vbs " & strTemplateSIP, 0, False

' Retrieve domain information
 Set objRootDSE = GetObject("LDAP://RootDSE")
 strDomain = objRootDSE.Get("DefaultNamingContext")
 Set objGroup = GetObject(strGroupCN & strDomain)
 objGroup.GetInfo
 arrMemberOf = objGroup.GetEx("member")

'Pull all e-mail Addresses into an array, and apply Template to each User
 For Each strMember in arrMemberOf
     Set objUser = GetObject("LDAP://" & strMember)
     WShell.Run "cscript " & strLyncScriptPath & "LyncAddContacts.vbs /import " & objUser.mail, 0, False
 Next

WScript.Quit

Installing SCCM

Last week I was able to configure and setup System Center Configuration Manager SCCM at work. Here is a good online guide incase anyone wants to know what is involved: http://www.ahmedgroup.co.uk/articles/47/1/Step-by-step-guide-installing-SCCM-2007-Part-1/Page1.html

I would have to say a multi-site SCCM configuration is a beast compared to Lync to setup. You need to follow a guide to the T when installing, otherwise it is really hard to troubleshoot. The most important parts to remember on both site and secondard site servers is IIS, WSUS, WEBDAV, BITS, Remote Compression. Configuring WEBDAV is not hard but it has to be perfect or else you will end up chasing your own tail later. The Microsoft installer for SCCM does not check these components during the pre-check, so this is why I bring it up.

Anyways Deploying software packages and updates for now, later I’ll have to figure out the rest of SCCM and the other modules that fit in.

Lync 2010

This week I installed Lync 2010 Standard edition, and I was plesently surprised at just how easy Lync is to setup then previous versions of Office and live communicator. For the most part Lync 2010 requires just Active Directory Domain with a CA, and a server to call its own. Keep in mind users also have to be mail enabled so Exchange may be needed but upgrading to Exchange 2010 is not required (only added benefit in 2010 is lync itegrated with OWA).

The next part was the hardest to get over for me, which is adding contacts automatically for lync enabled users. The best way I have found to do this is to use the script I found on The Expta {Blog}. Here a script leverages a utility to export a users contacts and you can import them to a number of users or to individual users.

Also as a side tip, after your address book syncs which should take 60 seconds or less, you should be able to lookup and add distrobution groups to your link (which will dynamically add any lync enabled users that are a member of that group).

For those “Domain Admin” users to enable those accounts in Lync you first need to open AD computer and users, enable “advanced view”, open each domain admin user, click on the security tab, click advanced, check inherited permissions and close out the user in AD and enable right away in the Lync control panel. If you wait until later to enable like I did then you have to go through the whole process again. Best practice in AD is to use Domain Admin account as secondary accounts and not your primary account, so if thats the case this should not be an issue.

I only have standard installed right now, so my knowledge of Lync is limited to that scope, also I have not enabled all the voice features yet although audio and video compture to computer seem to work out of the box, just not dialing out.

More to come, but until then I recommend reading Microsoft’s deployment blogs on lync, and the Technet library, both very helpful.  Also check out this video if you want step-by-step base installation instructions for Lync 2010 Standard.