The PostgreSQL database has been updated to 10.1 which is the latest version, improves performance and has lots of features not available in the previous versions.
baruwa-setup will automatically migrate your database from 8.4.20 to 10.1,
although this process has been tested you may run into issues. Make sure you
schedule changes with your change management process and create a large upgrade
window. If possible ensure you make the changes during the time window in which
technical support is guaranteed to be available.
For many users clustering of backend systems to eliminate single points of failure has been one of the most requested features. It is now possible to cluster backend systems thus eliminating the single point of failure in a Baruwa cluster.
Fail over between the active master to slaves is automated for database systems user intervention is not required.
Read and write operations are automatically split, read operations are sent to the slave servers while write operations are sent to the master.
To maintain a quoram and prevent split brain issues cluster components must be deployed in odd numbers. This is specifically important for systems in the backend segment. Do not deploy a backend cluster segment that has even number of components.
Memcached does not support clustering so it is now an optional component. If you are currently using Memcached but would like transparent cluster fail over support you need to disable Memcached and use the built in uwsgi caching system.
With backend segment clustering enabled, the cluster is now resilient to backend failures. The web interfaces can now remain operational in event of a backend failure.
It is also possible now to perform upgrades on backend systems without affecting the end users.
For efficient operation your backend components should be located at different locations such that an outage does not take down all the systems at the same time. If the systems are at the same location and an outage takes down all the systems then recovery of such a cluster is a more involved process.
For more info refer to Clustering
TLS encryption for backend services is now mandatory, the Backend Traffic Encryption options have been depreciated. All services with external interfaces within the cluster now run over TLS.
To support this the builtin CA has been enhanced and automated. New cluster members now request certificates from the bootstrap server during the setup process.
Certificates are issued from intermediate CA’s for various components. To support the verification process the root CA certificate needs to be copied to the non bootstrap servers in the cluster prior to configuration.
For more info refer to Root CA Key
Instant search results have been extended to cover all the search functions in the web interface, in previous versions instant search only covered the messages search function. For all other search functions the indexing was delayed. So if you added a domain for example you would not be able to search for it immediatly. If is now possible to obtain the results immediatly after adding the domain.
The search indexing operation has further been optimised to use less RAM and CPU. In previous versions search indexing used up lots of system resources and crushed often. This release addresses many of those issues.
User Delivery Servers
We have added support for
User Delivery Servers, using this feature it is now
possible to deliver mail for different users in a domain to different servers.
User Delivery Servers are added to a domain, and can then be assigned to user
accounts in that domain.
User Delivery Servers can be added to a domain as well as assigned
to a user.
For more info refer to User Delivery Servers
We have added support for
SmartHosts, using this feature it is now possible
to route outbound mail for a domain or an organization via an upstream smarthost.
This feature is useful for customers who want to send out mail via an external server that performs branding for example or archiving.
At the moment
IP Address and
SMTP AUTH based routing is supported. For
SMTP AUTH the
PLAIN mechanisms are supported over TLS.
SAML2 external authentication support
Due to the way in which this protocol works, it is not possible to login from the main login page. A special url has been created which you will need to provide your users with the url takes the following format:
So if your baruwa url is
baruwa.example.com and the SAML2 enabled domain is
example.net then the url to use will be:
The metadata for any domains you configure for SAML2 external authentication will be available at:
As is with the above
example.net domain the metadata url will be:
This is a technology preview so please test before putting into full scale production.
TOTP Two Factor OTP authentication support
TOTP based Two Factor Authentication is supported. Any device or App that can generate TOTP tokens as well as scan QRcodes can be used. We recommend FreeOTP which is open source and developed by Redhat and available for Andriod and IOS.
Avast Anti Virus Engine support
The Avast Anti Virus Engine is now supported and can be configured as an SMTP Time or POST SMTP Time Anti Virus Engine. Avast AV requires a subscription, which you can purchase from us.
Support for blank email addresses in lists manager
It is now possible to enter a blank from address in the lists manager, this allows users to manage list entries for senders that set a blank <> address such as auto responders, bounce messages, etc.
Support for disabling search
Indexed search is resource intensive, in some setups it is not worth the expense deploying extra resources to manage search. It is now possible to disable indexed search. Users can then use filters to find the messages they need.
An option has been added to
baruwa-setup to allow for enabling and disabling of
the search functionality.
Modular external authentication
External authentication is now modular meaning that you can install only the external authentication methods that you require and use. For example if you do not use LDAP you can disable that module.
On upgrade all external authentication modules will be disabled make sure that
you enable the ones that you use in
Scanner RAM disk support
The mail scanning component now supports the use of a RAM disk. This can be used on systems where disk access is slow and causing a bottleneck. This option requires 1GB of dedicated RAM to operate correctly.
To enable use of the RAM disk, enable that in
Optimization of MTA configuration
The MTA dynamic configuration system has been optimized by consolidating the settings in to fewer files. This improves system performance by keeping less files open at any time.
The number of configuration screens in clustered systems has been reduced. Most of the configuration options have been moved to the backend systems. For most options you only need to set them once on the bootstrap server. The other members of the cluster then pull these cluster wide configurations from the bootstrap server.
This is improves on the previous configuration where you needed to re-enter the same settings on several servers.
Due to the above changes, when upgrading you need to check the settings on your frontend systems and add those settings to your bootstrap server before running the updates on the frontend systems.
Improved Archive filtering
Filtering of archive contents has been improved. More archive types are now supported including 7zip based archives.
External authentication is now modular, all modules are disabled by default on upgrade. You need to explicitly enable the modules that you want to use.
Encrypt all backend traffic
Encrypt all backend traffic option has been depreciated as backend
encryption is now mandatory.
Memcached is now an optional component. It was previously a mandatory component
If you are using a custom template and do not update your templates you will ran into issues, ensure that you update your templates on upgrade.
Make sure that you copy the configuration settings from existing frontend systems to your bootstrap server prior to updating the frontend systems.
You can get the settings from your frontend system by running the
baruwa-setup -e command
MTA configuration overide for SMTP Time scanning changes
The MTA configuration overide for SMTP Time scanning have changed, please read the documentation and update your custom overides.
Firewall rules overwrite
On some system profiles especially the clustered ones, the firewal rules will be overwritten. If you have custom rules you need to readd them after the upgrade
The CA file /etc/pki/BaruwaCA/certs/BaruwaCA.pem is missing
You need to copy that file over from your bootstap server.
Please ensure you have sufficient free space on your system before starting with the upgrade. On database and backend systems you need to have 3 times the size of /var/lib/pgsql available.
WebApp Error: <class ‘socket.gaierror’>: [Errno -2] Name or service
This means that localhost4 is not configured as an entry for 127.0.0.1 in /etc/hosts. You need to modify that and add an entry for localhost4
no quorum: only 1 vote(s) for Legion baruwacluster, 2 needed to elect a Lord
Refer to the solution for digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c below.
digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c
If you have the above error in your logs then it means the autogenerated session key on the backend in a cluster contains unwanted characters.
A manual fix to the database is required. Follow the following steps on the backend server or database server.
Generate a 35 character random string as follows:
mkpasswd -l 35 -s 0
Connect to your baruwa-setup database:
Enter the following commands at the
_pp_with your actual passphrase,
_rand_string_with string from step 1:
PRAGMA KEY="_pp_"; UPDATE baruwasetup SET session_secret="_rand_string_"; .quit
Run the baruwa-setup command on your backend server and repeat on your nodes.