Fundamentally, you are concerned with two basic properties of the system:

• How fast you can get data to/from the disk
• How fast the disk itself can read/write that data

First, how fast can we get data to/from the disk. This is governed by the interconnect technology used to connect the CPU/Memory to the disk. On a typical Mac, you have a few options:

• SATA (Serial ATA): This is what your internal hard drives are connected with. This can nominally push data at 3 Gbits/s (3072 Mbits/sec). SATA was designed for hard drives.
• eSATA: Simply SATA with special connectors to support external disk enclosures.
• USB: This will nominally push data at 480 Mbits/sec. Due to the way USB works, it can have performance issues keeping up performance transferring large amounts of data — expect to see half or less of the nominal rate. USB was designed as a general peripheral connection technology — not necessarily optimized for disks storage.
• Firewire (IEEE 1394): Comes in two versions, FW 400 (nominally 400 MBits/s) and FW 800 (800 MBits/s). Firewire was designed to support disk storage along with other audio/visual connectivity protocols.

The disks themselves… So what are the important parameters to look for in the disk itself:

• Rotational Speed: This is how fast the drive spins. You will typically see two different speeds 5400 rpm and 7200 rpm. There are increasingly “green” drives appearing on the market which I’ll discuss briefly later. Hard drives have spinning platters (disks) and a set of read/write heads inside them. This isn’t much different than a phonograph with the disks being the vinyl record and the read/write heads being the needle. To access a bit of data, the heads have to move to a specific radial position and then wait until the write spot is spun underneath them. Remember that data (your files) is, to various degrees spread all over the disks. When you read or write a lot of data the heads are constantly repositioning and waiting as right data passes under them. Think of trying to listen to several songs at the same time on a vinyl record and you get the idea.
• Cache: Disks have cache on them that can speed up read and write operations. Bigger is generally better, but cache is only so good.
• Data Transfer Rate: This is fundamentally a function of the rotational speed, but it tells you how fast the disk can actually read/write. Each disk has different specs, so you have to check the disk you’re considering. Also be very careful as to exactly what performance is being reported by the manufacturer and make sure you are doing apples to apples comparisons.

Now to tie it all together. You’re speed is going to be limited by the slowest part of the chain. If you put a slow disk with a fast interconnect, you’re limited by the slow disk and vice versa. In practice, the slowest options of the above are USB and 5400 rpm drives. Either SATA or Firewire has a higher data rate than the 7200 rpm disk can sustain. The other thing to consider is how many concurrent IO operations you are sending to the disk. Your system disk (Macintosh HD) has to service all of the other IO needs of your system. If you add your video editing demands to this, you could overwhelm the drive.

I think there are a few common problems that people run into:

• The MacBook Pro’s standard drive is a 5400 rpm disk. This is probably going to be too slow for most video editing demands, especially when you add additional IO demands. It will “work” but you probably won’t be happy.
• Disk is too full. You need to leave 10% – 20% of your disk free. The OS needs this free space to easily organize the data it’s writing to disk.
• Just sending too much IO to a single disk. A single disk can only handle so much IO. Once you go over that, you wait (or drop frames).

The most common solution is to use a 7200 rpm disk connected by Firewire. 7200 rpm because it’s the fastest you’re going to reasonably afford and Firewire because it’s fast enough and every Mac (maybe not the MacBook) has it. If you have a MacPro, you can look at adding more internal SATA drives (consider RAID’ing them for more performance) or look at eSATA (need to buy a controller in addition to disks).

If you’re in a bigger setting with shared storage arrays, you have even more options and things get even more complicated. I’ll not going into that here, but am happy to discuss in more detail if anyone is curious.

P.S. What about those “Green” disks — I want to be nice to the environment. The Green drives that are becoming popular work by dynamically changing speeds based on demands, with their primary goal to save power and thus run at slower speeds. When you start sending data to these disks, they typically have to spin up from some nominal lower speed to something faster to support your IO. You pay a penalty (wait) for the spin up and are at the mercy of the drive to decide if it wants to spin up to full speed. These are great for longer term storage for data infrequently used (say a Time Machine disk, Aperture Vaults, iTunes music collection, or just online archive storage of files (vidoe or otherwise)) but not for something needing consistent, fast throughput, say Video Editing.

I finally got a Mac at work (my company’s Corp IT group is becoming a bit more enlightened and accepting that more than just Windows exists in the world) and I want a simple way to spin up SSH tunnels, close them down not have to keep a terminal window open for them. My solution is to wrap some Applescript around the SSH commands and launch my tunnels from the script menu on the menu bar.

The simple script:

do shell script "ssh -4 -A -N -L 12345:localhost:12346 host.example.com &> /dev/null & echo $!"set sshpid to the resultdisplay dialog "ssh PID is: " & sshpid buttons {"Close Tunnel"}do shell script "kill -9 " & sshpid

When the tunnel is created, a window will pop up giving you the pid of the ssh process and a button to close the tunnel. When click the “Close Tunnel” button, the tunnel is shutdown by killing (with the mean -9, chose the signal you want) the ssh process.

Now my most common need/desire for a tunnel is to listen to my music stored at home on my machine at work. At home I use Firefly Media Server to share my library so I just want to tap into that at work. A quick google search shows the steps to do this:

• Use dns-sd to register a daap servers on local host
• Create an ssh tunnel from localhost to the remote daap stream

To run this easily, enable the Script Menu in the menu bar (via AppleScript Editor preferences) and put the script in~/Library/Scripts.

• The upgrade process took 22 minutes and consisted of 3 or 4 mouse clicks and a reboot.
• I have a number of SMB shares mounted from a server running Samba. I had to change the security setting to “user” where it had been “share”.
• The upgrade performed by the installer overwrote my /etc/snmp/snmpd.conf file. This prevented any snmp monitoring from working until I figured out what went wrong. (The installer also re-enables the OS X firewall even if it was disabled before — probably a good decision)
• It seems that Image Capture has gotten significant improvements with 10.6 — I haven’t noticed this called out by any of the other reviews. The UI is much more feature-full and even offers the option to delete images and videos from my iPhone. (If this was in the previous version, I hadn’t noticed it.)
• Boot time is noticeably faster.
• I ended up saving about 10GB of disk space as part of the upgrade

• Can’t seem to get the phone to connect on a user specified port for either IMAP or SMTP. There are options for that, but I could never get my phone to (reliably) use them.
• I could never get starttls to work with the iPhone. Other clients, mail.app, worked just fine. This is annoying, but not such a big deal. The password for the login is still encrypted and the mail itself would normally be going outside of my systems anyway.
• There is no “advanced” or “expert” UI for initially setting up email accounts on the iPhone (nor on mail.app). This means that you have to wait as the phone walks through a lot of default mail options (ports to connect on, SSL or no SSL, etc) before you get a chance to adjust anything.

I want to securely access my home email from my newly ordered iPhone 3GS. Since my mail repository is at home (vs on some one’s webmail/freemail platform) and I want to be able to send email from my domain, I need to connect from essentially anywhere to my home systems.

I have an existing bastion host running OpenBSD to which I added the mail functions. Documentation that I found was a bit out dated or didn’t quite put everything together, so I’m putting it all together here. This article is based on what is available with OpenBSD 4.5.

First, what are the different pieces in this puzzle?

• Retrieve/view mail: I keep all of my mail on a server at home and provide access via IMAP(S). I extended this by using dovecot as an IMAP proxy on the bastion host. This allows you to view your mail.
• Sending mail: Sendmail is the base MTA I’m using (it’s part of the base install of OpenBSD) and to get the secure authenticated connection for remotely sending mail, two different things are needed.
  • TLS: For my purposes, this encrypts the connection via starttls(8)
  • Authentication: This provides the ability to authenticate users and allow authenticated users to relay mail through the server. This is done via cyrus-sasl.

The configuration for dovecot is rather simple, but I never found it explicitly called out. Acting as a proxy for a particular user is done as part of an entry in the user database. Larger installations with many users can use a database for this, but for a small handful of users, this is more easily done with a passwd-file.

1. Install dovecot. Either build it from source via ports or install the package. See the OpenBSD FAQ for how to do this.
2. In /etc/dovecot.conf, find the section specifying the password database as a passwd-file and uncomment it such that you end up with the following. See AuthDatabase/PasswdFile section of the dovecot wiki for more details.

   # passwd-like file with specified location# passdb passwd-file {# [scheme=] [username_format=]# args = username_format=%n /etc/dovecot.passwd} 

3. Create the passwd file, /etc/dovecot.passwd, in your favorite editor filling in the fields as described in the Passwd-file documentation. You should end up with something that looks like the following:

   fred:{PLAIN-MD5}b40ac4fe40284c9de587b992c08f167::::::proxy=y host=my.proxy.domain.tld port=143

   The last fields, the extra fields, are the ones that make the proxy actually work. Note that the TLS/SSL options discussed in the dovecot documentation are only available in newer versions (1.2.rc4+) and not in the stable versions. That means I’m stuck with an un-encrypted connection between my bastion host/proxy and my real mail server. This isn’t the perfect solution, but I prefer using the proxy to just allowing a direct connection from anywhere on the internet to my internal servers. Create the md5 passphrase hash with the md5(1) command:

   md5 -s password

4. Configure dovecot to start at boot (if you didn’t when you installed it) and start up dovecot. In /etc/rc.local add:

   if [ -x /usr/local/sbin/dovecot ]; then echo -n ' dovecot';  /usr/local/sbin/dovecotfi

This is the easy part to write up. Follow the steps in the starttls(8) man page. Remember, this just gives you encryption when connecting to send mail.

This requires installing the Cyrus-SASL libraries, configuring users and saslauthd, recompiling sendmail and configuring sendmail.

1. Install cyrus-sasl. Either build it from source via ports or install the package. See theOpenBSD FAQ for how to do this.
2. Configure the sasl auth daemon for authentication from sendmail:

   echo pwcheck_method: saslauthd > /usr/local/lib/sasl2/Sendmail.conf

3. Create users (these are the users and passwords for sending mail) with saslpasswd2(8) with the following command (you’ll be prompted for a password). This will create /etc/sasldb2.db. You will use username@domain as the username for authentication.

   saslpasswd2 -c -u domain username

4. Configure saslauthd to start at boot by adding the following to /etc/rc.local :

   if [ -x /usr/local/sbin/saslauthd ]; then echo -n ' saslauthd'; /usr/local/sbin/saslauthd -a getpwentfi

5. Start saslauthd with /usr/local/sbin/saslauthd -a getpwent
6. Rebuild sendmail with sasl support:
   • Add WANT_SMTPAUTH=YES to /etc/mk.conf
   • If you don’t have the OpenBSD source code installed, install it. See the OpenBSD FAQ for details on doing so if needed.
   • cd to /usr/src/gnu/usr.sbin/sendmail/ and build and install sendmail with make clean obj depend && make && make install
7. Configure sendmail for all of the new options. Edit /usr/share/sendmail/cf/openbsd-proto.mc as follows:
   • Uncomment (remove the “dnl” from the beginning of the line) the section for TSL/SSL support.

     dnldnl TLS/SSL support; uncomment and read starttls(8) to use.dnldefine(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnldefine(`confCACERT_PATH', `CERT_DIR')dnldefine(`confCACERT', `CERT_DIR/mycert.pem')dnldefine(`confSERVER_CERT', `CERT_DIR/mycert.pem')dnldefine(`confSERVER_KEY', `CERT_DIR/mykey.pem')dnldefine(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnldefine(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl

   • Add the following options for SMTP AUTH.

     dnldnl Set SMTP AUTH optionsdnldefine(`confAUTH_MECHANISMS',`PLAIN LOGIN CRAM-MD5 DIGEST-MD5')dnlTRUST_AUTH_MECH(`PLAIN LOGIN CRAM-MD5 DIGEST-MD5')dnldefine(`confAUTH_OPTIONS',`p,y')dnldefine(`confPRIVACY_FLAGS',`authwarnings,goaway')dnl

8. Rebuild the cf files and install them by:
   • cd /usr/share/sendmail/cf
   • make distribution
9. Configure sendmail to listen for connections over the network (default configuration is to listen only on localhost) by adding sendmail_flags="-L sm-mta -bd -q30m" to /etc/rc.conf.local
10. Kill the running sendmail, source the new configuration options and restart sendmail:

    kill `head -n1 /var/run/sendmail.pid`. /etc/rc.conf/usr/sbin/sendmail $sendmail_flags

A good bit of the SMTP AUTH configuration steps where taken from http://www.dsrw.org/~dlg/sysadmin/sendmail/ which was written for OpenBSD 3.3. Some things have changed by OpenBSD 4.5 partly compelling me to write this article.