BaruwaOS 6.9.1

New Features

PostgreSQL upgrade

The PostgreSQL database has been updated to 10.1 which is the latest version, improves performance and has lots of features not available in the previous versions.

baruwa-setup will automatically migrate your database from 8.4.20 to 10.1, although this process has been tested you may run into issues. Make sure you schedule changes with your change management process and create a large upgrade window. If possible ensure you make the changes during the time window in which technical support is guaranteed to be available.

Backend Clustering

For many users clustering of backend systems to eliminate single points of failure has been one of the most requested features. It is now possible to cluster backend systems thus eliminating the single point of failure in a Baruwa cluster.

Fail over between the active master to slaves is automated for database systems user intervention is not required.

Read and write operations are automatically split, read operations are sent to the slave servers while write operations are sent to the master.

To maintain a quoram and prevent split brain issues cluster components must be deployed in odd numbers. This is specifically important for systems in the backend segment. Do not deploy a backend cluster segment that has even number of components.

Memcached does not support clustering so it is now an optional component. If you are currently using Memcached but would like transparent cluster fail over support you need to disable Memcached and use the built in uwsgi caching system.

With backend segment clustering enabled, the cluster is now resilient to backend failures. The web interfaces can now remain operational in event of a backend failure.

It is also possible now to perform upgrades on backend systems without affecting the end users.

For efficient operation your backend components should be located at different locations such that an outage does not take down all the systems at the same time. If the systems are at the same location and an outage takes down all the systems then recovery of such a cluster is a more involved process.

For more info refer to Clustering

TLS encryption

TLS encryption for backend services is now mandatory, the Backend Traffic Encryption options have been depreciated. All services with external interfaces within the cluster now run over TLS.

To support this the builtin CA has been enhanced and automated. New cluster members now request certificates from the bootstrap server during the setup process.

Certificates are issued from intermediate CA’s for various components. To support the verification process the root CA certificate needs to be copied to the non bootstrap servers in the cluster prior to configuration.

For more info refer to Root CA Key

Search Improvements

Instant search results have been extended to cover all the search functions in the web interface, in previous versions instant search only covered the messages search function. For all other search functions the indexing was delayed. So if you added a domain for example you would not be able to search for it immediatly. If is now possible to obtain the results immediatly after adding the domain.

The search indexing operation has further been optimised to use less RAM and CPU. In previous versions search indexing used up lots of system resources and crushed often. This release addresses many of those issues.

User Delivery Servers

We have added support for User Delivery Servers, using this feature it is now possible to deliver mail for different users in a domain to different servers.

User Delivery Servers are added to a domain, and can then be assigned to user accounts in that domain.

Multiple User Delivery Servers can be added to a domain as well as assigned to a user.

For more info refer to User Delivery Servers

SmartHosts

We have added support for SmartHosts, using this feature it is now possible to route outbound mail for a domain or an organization via an upstream smarthost.

This feature is useful for customers who want to send out mail via an external server that performs branding for example or archiving.

At the moment IP Address and SMTP AUTH based routing is supported. For SMTP AUTH the CRAM-MD5 and PLAIN mechanisms are supported over TLS.

For more info refer to SmartHosts and Organization SmartHosts.

SAML2 external authentication support

Support has been added for the SAML2 external authentication method. Domains can now be configured to use SAML2 external authentication.

Due to the way in which this protocol works, it is not possible to login from the main login page. A special url has been created which you will need to provide your users with the url takes the following format:

https://baruwa.example.com/a/login/domain

So if your baruwa url is baruwa.example.com and the SAML2 enabled domain is example.net then the url to use will be:

https://baruwa.example.com/a/login/example.net

The metadata for any domains you configure for SAML2 external authentication will be available at:

https://baruwa.example.com/a/metadata/domain

As is with the above example.net domain the metadata url will be:

https://baruwa.example.com/a/metadata/example.net

This is a technology preview so please test before putting into full scale production.

TOTP Two Factor OTP authentication support

TOTP based Two Factor Authentication is supported. Any device or App that can generate TOTP tokens as well as scan QRcodes can be used. We recommend FreeOTP which is open source and developed by Redhat and available for Andriod and IOS.

Avast Anti Virus Engine support

The Avast Anti Virus Engine is now supported and can be configured as an SMTP Time or POST SMTP Time Anti Virus Engine. Avast AV requires a subscription, which you can purchase from us.

Support for blank email addresses in lists manager

It is now possible to enter a blank from address in the lists manager, this allows users to manage list entries for senders that set a blank <> address such as auto responders, bounce messages, etc.

Support for disabling search

Indexed search is resource intensive, in some setups it is not worth the expense deploying extra resources to manage search. It is now possible to disable indexed search. Users can then use filters to find the messages they need.

An option has been added to baruwa-setup to allow for enabling and disabling of the search functionality.

Modular external authentication

External authentication is now modular meaning that you can install only the external authentication methods that you require and use. For example if you do not use LDAP you can disable that module.

On upgrade all external authentication modules will be disabled make sure that you enable the ones that you use in baruwa-setup.

Scanner RAM disk support

The mail scanning component now supports the use of a RAM disk. This can be used on systems where disk access is slow and causing a bottleneck. This option requires 1GB of dedicated RAM to operate correctly.

To enable use of the RAM disk, enable that in baruwa-setup.

Optimization of MTA configuration

The MTA dynamic configuration system has been optimized by consolidating the settings in to fewer files. This improves system performance by keeping less files open at any time.

Simplified Configuration

The number of configuration screens in clustered systems has been reduced. Most of the configuration options have been moved to the backend systems. For most options you only need to set them once on the bootstrap server. The other members of the cluster then pull these cluster wide configurations from the bootstrap server.

This is improves on the previous configuration where you needed to re-enter the same settings on several servers.

Due to the above changes, when upgrading you need to check the settings on your frontend systems and add those settings to your bootstrap server before running the updates on the frontend systems.

Improved Archive filtering

Filtering of archive contents has been improved. More archive types are now supported including 7zip based archives.

Depreciations

External Authentication

External authentication is now modular, all modules are disabled by default on upgrade. You need to explicitly enable the modules that you want to use.

Encrypt all backend traffic

The Encrypt all backend traffic option has been depreciated as backend encryption is now mandatory.

Memcached

Memcached is now an optional component. It was previously a mandatory component on mail profile systems, this is no longer the case.

Known Issues

Template changes

If you are using a custom template and do not update your templates you will ran into issues, ensure that you update your templates on upgrade.

Simplified Configuration

Make sure that you copy the configuration settings from existing frontend systems to your bootstrap server prior to updating the frontend systems.

You can get the settings from your frontend system by running the baruwa-setup -e command

MTA configuration overide for SMTP Time scanning changes

The MTA configuration overide for SMTP Time scanning have changed, please read the documentation and update your custom overides.

Firewall rules overwrite

On some system profiles especially the clustered ones, the firewal rules will be overwritten. If you have custom rules you need to readd them after the upgrade

The CA file /etc/pki/BaruwaCA/certs/BaruwaCA.pem is missing

You need to copy that file over from your bootstap server.

Disk space

Please ensure you have sufficient free space on your system before starting with the upgrade. On database and backend systems you need to have 3 times the size of /var/lib/pgsql available.

WebApp Error: <class ‘socket.gaierror’>: [Errno -2] Name or service

This means that localhost4 is not configured as an entry for 127.0.0.1 in /etc/hosts. You need to modify that and add an entry for localhost4

no quorum: only 1 vote(s) for Legion baruwacluster, 2 needed to elect a Lord

Refer to the solution for digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c below.

digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c

If you have the above error in your logs then it means the autogenerated session key on the backend in a cluster contains unwanted characters.

A manual fix to the database is required. Follow the following steps on the backend server or database server.

1. Generate a 35 character random string as follows:

   mkpasswd -l 35 -s 0
   

2. Connect to your baruwa-setup database:

   sqlcipher /var/lib/baruwa-setup/baruwasetup.db
   

3. Enter the following commands at the sqlite> prompt. Replace _pp_ with your actual passphrase, _rand_string_ with string from step 1:

   PRAGMA KEY="_pp_";
   UPDATE baruwasetup SET session_secret="_rand_string_";
   .quit
   

4. Run the baruwa-setup command on your backend server and repeat on your nodes.