BaruwaOS 6.8
New Features
Upstream Release
This release tracks the upstream base OS’s update 6.8. The release notes for the upstream OS can be found at on the upstreams website
ACME TLS Certificates
Baruwa now supports the ACME client protocol. This allows for requesting of certificates from ACME compartible Certificate Authorities such as CertBot formerly known as Lets Encrypt a free and open CA which issues browser recognized certificates.
Baruwa will now request Certbot certificates for the HTTPS and SMTP TLS services if you do not have a CA issued certificate. Certbot certificates are supported by a wide range of browsers so you should no longer have the warnings generated when using the Baruwa CA auto generated certificates.
The system checks to ensure that it will be possible to validate the requests by checking that the hostnames resolve to a Public IP address that is assigned to the system. If the check fails then Certbot certificates will not be requested and the local CA certificates will be issued.
In some cases, the public IP address is not assigned to the system and traffic is port forwarded to the Baruwa system. In those cases the automatic detection will fail. As a work around you need to create a check file on the system this tells baruwa-setup to bypass the checks and request the certificates anyway.
To create the check file run the following command:
touch /etc/baruwa/acme.enable
To disable the use of Certbot certificates you can create a disable check file:
touch /etc/baruwa/acme.disable
For the validation process to succeed, it should be possible for external systems to connect to your system on port 80. The Certbot validation system makes a connection to the hostname(s) specified in the certificate request to verify that you control the hostname before issuing the certificates.
The CertBot CA does not support issuing certificates to IP addresses so the certificates that are issued will not contain your IP addresses as alternative names as is the case with Baruwa CA issued certificates.
CertBot CA issued certificates are valid for only 90 days at a time, On a Baruwa system a scheduled process runs to check and update the certificate before it expires. The scheduled process runs every 3 days and will renew the certificate if is <= 5 days from expiry.
DMARC Reporting
Baruwa now supports DMARC reporting, both forensic and aggregate reports are supported.
Forensic reports are sent out immediatly when the mail is processed, Aggregate reports are sent out once a day.
DMARC reporting can be enabled using baruwa-setup
Fallback servers
It is now possible to configure delivery servers for an Organization, these delivery servers are called Fallback servers.
If a domain in the Organization does not have delivery servers configured the Fallback servers for the Organization will be used instead.
This can be used in cases where an Organization has several domains which are hosted on the same mail server.
For more info refer to Fallback servers
MTA Random IP Address Pools
Baruwa now supports the use of a random IP address from a pool of IP addresses. To use a random IP address from a pool of IP addresses, you need to:
- Configure the IP addresses as virtual or physical interfaces on the Baruwa server(s).
- Add the IP addresses in the web interface under the Server to which the address is assigned via Adding an IP Address
Baruwa will automatically use one random IP address from the assigned addresses each time it makes an outbound SMTP connection.
The above is useful to be able to remove and add IP addresses to the system when an address has been blacklisted for example.
To assign specific IP addresses to specific customer domains you can use the Dedicated IP Addresses feature.
Dedicated IP Addresses
Baruwa now supports the setting of dedicated IP addresses for:
- Domains
- Delivery servers
- Fallback servers
So it is now possible to assign dedicated IP addresses to a domain, delivery server and fallback server.
The effect of the above assignments is as follows:
- All email from the domain name will be sent from the assigned IP address
- All email to a delivery server will be sent from the assigned IP address
- All email to a fallback server will be sent using the assigned IP address
The above comes in handy when you want to seperate traffic flows in a multi customer hosted enviroment such that one customers reputation does not affect other customers reputation.
To use this feature:
- Configure the IP addresses as virtual or physical interfaces on the Baruwa server(s).
- Add the IP addresses in the web interface under the Server to which the address is assigned via Adding an IP Address
- Assign the IP address to either the domain, delivery server or fallback server.
Null routing
It is now possible to discard all mail sent to a domain without delivering it to the delivery servers.
An option has been added to allow users to discard all mail addressed to the domain.
Enforcing TLS
It is now possible to enforce the use of TLS connections for hosts and domains.
Domains hosted on the Baruwa server can now be configured to only deliver mail
to the delivery servers using TLS connections by setting the Require TLS
on
the delivery or fallback servers.
SMTP clients sending Outbound mail via the Baruwa server are already required
to use TLS for SMTP AUTH connections, now it is also possible to enforce the
use of TLS for none SMTP AUTH connections using the Require TLS
on the
relay settings.
For inbound messages it is also possible to enforce TLS using the TLS Enforcement List
Content Protection Info
The reasons why a message was blocked by the Content Protection System are now displayed on the message detail page.
After SMTP Anti Virus Rejection Info
The rejection messages from the After SMTP Anti Virus checks are now displayed on the message detail page.
API
The API has been extended to support Fallback servers and Null routing.
Man Pages
BaruwaOS now includes Man Pages for all the Baruwa Enterprise Edition commands.
Depreciations
None
Known Issues
ERROR with rpm_check_debug vs depsolve:’, ‘libselinux = 2.0.94-5.8.el6 is needed by (installed) libselinux-ruby-2.0.94-5.8.el6.x86_64’
If you get the above error when running baruwa-setup then run the following commands before running baruwa-setup again:
yum install baruwa-setup -y
yum erase libselinux-ruby -y
Salt Engine reported error(s) Processing state cmd.run[mailscanner-create-cdb] failed => Command “paster update-mta-lookup /etc/baruwa/production.ini”
If you get the above error when running baruwa-setup then run the following command before running baruwa-setup again:
paster setup-app /etc/baruwa/production.ini
Salt Engine reported error(s) Processing state augeas.change[mailscanner-config-dmarc-reports.ini] failed => Error: Unable to save to file
If you get the above error when running baruwa-setup then logout of the current session and log back in before running baruwa-setup again
Salt Engine reported error(s) Processing state baruwa_certs.present[acme-request-certificate] failed => Failed to issue certificate
The above error means baruwa-setup was unable to issue the Lets encrypt certificate for your server. Please review the ACME TLS Certificates section if you want to use Lets encrypt certificates. If you do not want to use Lets encrypt certificate, run the following command before running baruwa-setup again:
touch /etc/baruwa/acme.disable
Salt Engine reported error(s)
If you get the above error when running baruwa-setup run baruwa-setup again