BaruwaOS 6.7.4
New Features
Backend Systems subscriptions
Beginning with BaruwaOS 6.7.4
backend systems will require a PAID
subscription. Existing systems installed prior to 6.7.4
being released
are exempt from this requirement.
Simplified Configuration
The configuration on Standalone
profiles has been simplified, there are
fewer screens and most of the credentials are now generated automatically.
This will reduce the human factor errors and improve security as strong credentials are now generated automatically.
The baruwa-setup utility now includes an option to refresh the system
credentials that are automatically generated. To regenerate credentials
run baruwa-setup with the -g
option.
Built in Cache
A new built in caching mechanism has been added that allows for replacement of the current memcached solution.
The built in cache is the default cache on new Standalone
installations
and can also be used on the Web and Mail System
and the
Web Interface System
profiles.
In a clustered setup port 11211 needs to be allowed inbound to the system, this port is used by the nodes in a cluster to replicate cache data.
The memcached cache can still be used, the Enable Memcache
option on
the Management Other Settings
screen of the baruwa-setup utility
can be used to enable or disable memcached.
This option is important for enviroments where memcached errors are frequent.
Cluster Master
A loose cluster master system has been introduced, nodes in a cluster can now elect a leader node.
The leader node is the node that performs tasks that must only be carried out by one system with in the cluster at a time like sending of reports or cleaning up the quarantine.
The cluster traffic used to elect the leader node is sent on port 3542, this port needs to be allowed on firewalls between the nodes in both directions.
The cluster leader elections only take place on Web and Mail System
nodes.
The other systems use a distributed locking system to ensure that tasks are executed by only one server in a cluster.
YAML Imports
The data import system has been overhauled. The previous system was unable to import all the data required to setup fully functional systems.
The new system uses the YAML format to import organizations, relay settings, domain administrators, domains, domain aliases, delivery servers, authentication servers and user accounts.
It is also possible to import just domains or accounts into an existing organization or domain respectively.
The old system that used CSV files has been removed.
YAML Exports
The data export system has been overhauled. The previous system was unable to export all the setup data.
The new system exports data in the YAML format and includes almost all the configuration data on the system.
Organizations can be exported and will include all the data within the organization which includes relay settings, domain administrators, domains, domain aliases, delivery servers, authentication servers, lists, signatures, dkim settings and user accounts.
It is also possible to export domains and accounts with the data contained in those containers.
Passwords are not part of the data export. The password entries will be blank in any export.
The old system that exported data to CSV files has been removed.
Cron System
On Standalone
and Web and Mail System
profiles, scheduled tasks are
now run using the uWSGI system not the traditional cron system.
This integrates with the Cluster Master system to ensure that tasks are run by only one node in a cluster.
Baruwa Service
On Standalone
and Web and Mail System
profiles backend tasks are
now run using the uWSGI system, the standalone Baruwa service is no longer
required or installed.
On Mail System
profiles which do not run the uWSGI system a baruwa-service
package is installed this provides the standalone Baruwa service.
Backend Traffic Encryption
It is now possible to encrypt all traffic between backend and front end nodes and between the backend nodes themselves.
The Encrypt all backend traffic
option works by installing a TLS tunneling
service which will encrypt connections from the source and decrypt them at the
destination for the specific application streams.
The Encrypt all backend traffic
option can also be used on LAN to thwart
capturing of data by sniffing of packets on a LAN.
Authentication
The authentication of certificates takes place using certificate pinning, this means you have to copy the servers certificate to the client.
On the server side the certificate file contains both the private key and the certificate do NOT copy the whole file to the client only copy the certificate, to extract the certificate run the following command on the server.:
openssl x509 -in /etc/pki/baruwa/certs/$(hostname).pem
On the client side the certificates need to be stored in /etc/pki/baruwa/certs/_IPADDRESS_.pem
where _IPADDRESS_
is the IP address of the server configured in the baruwa-setup utility
The Encrypt all backend traffic
option must be configured on all systems
in the cluster both front end and backend for the cluster to function correctly.
SMTP TLS Ciphers
Previously only strong ciphers were allowed on all SMTP connections, to allow
for increased interoperability with other systems this has been changed to
normal ciphers on port 25
.
Please refer to SMTP Authentication for the impact of this change.
Additional Anti Virus Engines
This release supports more additional Anti Virus Engines in addition to the built in ClamAV engine. The supported engines are documented in the Additional Anti Virus Engines section.
SNMP Monitoring
SNMP monitoring is now supported. It is documented in the SNMP section.
HTTP Proxy Protocol Support
The HTTP service now supports the Proxy Protocol, meaning Baruwa web services can now be placed behind load balancers that support the Proxy Protocol such as HAProxy and Amazon ELB. The proxy protocol makes the actual client IP address visible to the Baruwa service instead of having all requests appear like they came from the load balancer.
The SMTP service already supports the Proxy Protocol.
HTTP Log to Syslog
The HTTP service now supports the option to log to syslog. Using syslog the logs can be aggregated and processed.
The SMTP service already supports logging to syslog.
API
Added support for get domain by name
Network Ports
The following additional ports are now used.
PORT | PROTOCOL | DIRECTION | DESCRIPTION |
11211 | UDP | BETWEEN NODES | CACHE SYNC TRAFFIC |
3542 | UDP | BETWEEN NODES | CLUSTER TRAFFIC |
161 | UDP | INBOUND | SNMP |
Depreciations
SMTP Authentication
SMTP Authentication on port 25
is no longer supported due to the SMTP TLS Ciphers
change. SMTP AUTH is now only offered on ports 465
and 587
which still require strong
ciphers.
Relay settings configurations that use port 25
will need to be updated.
Puppet
The Puppet configuration management system has been removed from BaruwaOS. The only supported configuration engine is now Salt.
It is still possible to import puppet manifests as part of the upgrade.
Memcached
On Standalone
profiles memcached has been depreciated, the Built in Cache
system is now the default.
DKIM
Messages that fail DKIM checks will no longer be blocked at SMTP time.
Imports
Importing of domains and accounts from CSV files is no longer supported. The CSV system has been replaced by the YAML Imports system.
Exports
Exporting of domains and accounts to CSV files is no longer supported. The CSV system has been replaced by the YAML Exports system.
Known Issues
ERROR: Pidfile (/var/run/baruwa/celeryd/celeryd.pid) already exists.
If you see the above error in you logs run the following command:
kill `cat /var/run/baruwa/celeryd/celeryd.pid`
rm -vf /var/run/baruwa/celeryd/celeryd.pid
Service clamd is already enabled, and is dead
If you get the above error when running baruwa-setup then run the following command before running baruwa-setup again:
freshclam
failed to open DB file /var/spool/exim.in/db/retry: Permission denied (euid=93 egid=93)
If you see the above error in you logs run the following command:
chown exim.exim /var/spool/exim.in/db/retry