Technical Faqs

Answers to many common technical questions.

How do i request a new feature ?

Answer: Use the issue tracker

Open a feature request on the issue tracker

How do i report a non security bug ?

Answer: Use the issue tracker

Open a bug report on the issue tracker

How do i report a security bug ?

Answer: Email security@baruwa.com

If you think you’ve found a security vulnerability with Baruwa, please send a message to security@baruwa.com. Do NOT post a bug report to our issue tracking system or disclose the issue on our mailing lists.

How do i disable TLS 1.0 and TLS 1.1 on SMTP ports ?

To disable TLS versions 1.0 and 1.1 which are now considered legacy TLS versions run baruwa-setup and check the Disable Legacy SMTP TLS protocols option on the MTA More Settings screen.

Note

Disabling the legacy TLS versions may lead to you not recieving mail from systems that do not support the newer TLS versions.

How do i tailor Baruwa Enterprise Edition to my specific needs ?

Refer to the Customization section.

Can i manage Baruwa Enterprise Edition servers without using baruwa-setup ?

Answer: Yes

Yes you can, you can choose to do the configuration manually or using a configuration management too. SaltStack can be used easily as we provide salt states which are used by baruwa-setup in the background. You could also convert this states to a different configuration management tool.

How do i rebrand Baruwa Enterprise Edition servers ?

Refer to the Themes section, note that if you would like to remove the powered by notices you need to purchase a branding license.

What happens if i remove/hide/obscure the copyright notices without a license ?

That is a violation of the terms and we will revoke your subscription without a refund of any sums paid.

Where can i download rpm or deb packages to install on my system ?

We no longer provide packages, the solution is now packaged as a custom OS.

What are the settings i should use to configure LDAP/AD ?

The short answer is if you are asking, you probably should not be using LDAP/AD as you could inadvertently open yourself up to security holes.

The long answer is all LDAP directories are not setup in the same way, so there is no one size fits all configuration we can provide.

It is advisable you create an account with very limited privileges in the directory to use for the LDAP operations and bind as that account.

The following are common configurations that you could attempt.

Setting	Description	Active Directory	OpenLDAP
Base DN	The location within the directory to start searching	dc=domain,dc=com	dc=domain,dc=com
Username Attribute	The directory attribute in which the username is stored	samAccountName, userPrincipalName	uid
Email attribute	The directory attribute in which the email address is stored	mail	mail
Bind DN	The DN to bind as to perform operations	cn=Administrator,cn=users,dc=domain,dc=com, Administrator@domain.com	cn=root,dc=domain,dc=com
Bind password	The password for the Bind DN
Use TLS	Use the STARTTLS option
Search for userDN	Search for the userDN to bind to	Yes in most cases	No in most cases
Email Search Filter	The filter used to locate email addresses in an entry	(|(proxyAddresses=SMTP:%u@%d) (proxyAddress=smtp:%u@%d)(mail=%u@%d))	mail=%u@%d

The web interface is slow, what could cause this ?

The web inferface may slow down due to a range of issues:

1. Insufficient system resources
2. Insufficient network capacity
3. Incorrectly configured IPv6 network

Insufficient system resources

Check our system and ensure you have enough system resources to handle the amount of web and smtp traffic your system processes.

Insufficient network capacity

Check your network capacity and ensure it is sufficient to handle the amount of network traffic inbound and outbound from your system.

Incorrectly configured IPv6 network

Due to the fact that IPv6 is not widely deployed most networks do not handle IPv6 traffic as well as they do with IPv4.

Disabling IPv6 on your non loopback interfaces can improve the web interface performance by large margins.

You can disable IPv6 on a non loopback interface by setting the variable IPV6INIT in the the interface configuration file under /etc/sysconfig/network-scripts/ to no and then restarting the network service.

Note

Do not disable IPv6 globally or on the loopback interface lo as that is required for message queue service.

Which MTA does Baruwa Enterprise use ?

Answer: Exim

Baruwa Enterprise uses a customized version of the Exim MTA

How long are MTA recipient callback responses cached ?

Note

The format for the options callout_negative_expire, callout_positive_expire, callout_domain_negative_expire and callout_domain_positive_expire is 1m, 1h, 1d for minutes, hours, days respectively

Both positive and negative callback responses are cached. Two kind of cache records are supported:

• Specific email address
• Whole domain

Specific email address

Negative address records are cached for 2 hours, while positive address records are cached for 24 hours.

The above defaults can be modified by setting callout_negative_expire for negative address records and callout_positive_expire for positive address records in the custom variable override file /etc/exim/custom-vars.post.

Domain address

If a delivery server gives a negative response to an SMTP connection, or rejects any commands up to and including MAIL FROM: any callout attempt is bound to fail. The MTA remembers such failures in a domain cache record, which it uses to fail callouts for the domain without making new connections, until the domain record times out.

Negative domain records are cached for 3 hours, while positive domain records are cached for 7 days.

The above defaults can be modified by setting callout_domain_negative_expire for negative domain records and callout_domain_positive_expire for positive domain records in the custom variable override file /etc/exim/custom-vars.post.

The callout caching mechanism is based on the domain of the address that is being tested. If the domain routes to several hosts, it is assumed that their behaviour will be the same.

How do i clear the MTA recipient callback responses cache ?

The MTA recipient callback responses cache can be cleared by running the following command:

/usr/sbin/exim_tidydb -t 1m /var/spool/exim.in callout

SMTP AUTH on port 25 no longer works, why ?

SMTP AUTH is no longer offered on port 25 starting with BaruwaOS 6.7.4. The reason for this is documented in the release notes at SMTP Authentication

How do i allow attachments blocked by content protection through ?

You can clone the default built in content protection ruleset and then you can disable or alter the rule that is blocking the file. You can then either assign your new custom ruleset to either the domain in question or globally if you want the change across the system.

More information on what content protection is and how to manage it is available in the following sections of the documentation

• Content Protection Overview
• Content Protection Configuration

How do i allow Excel Binary Workbook files (.xlsb) blocked by content protection through ?

Warning

Excel Binary Workbook files can be used to propagate malware and cryptoware, exercise extreme caution when allowing domains to receive such files. If possible allow only for specific senders to specific recipients.

1. Clone the default built in Archive Mime Policy, enable and save.
2. Add a rule to the new cloned policy with Expression set to COFF format alpha executable stripped and Action set to allow
3. Assign the new cloned policy to the domain or the recipient.

How do i create a content protection policy for a sender ?

The content protection policies that are managed via the web interface can be assigned to domains or globally. This means that the policy will apply to all senders to the recipient domain in case of assignment to a domain or all senders to all domains in case of global assignment.

To set a granualer content protection policy you need to use the customization system which requires manual setup via the command line.

Create a policy from a sender to all recipients

To setup a content protection policy for a sender you need to follow the process below.

The example below uses sender@senderdomain.com as the sender we are configuring the policy for, change this to your specific sender. Wildcards "*" can be used as well for example *@senderdomain.com.

1. Login to your server and go to Settings -> Content protection -> File policies.

2. Click clone policy -> change policy name to sender-name-policy or a name of your choice -> Clone policy

3. Click actions (sender-name-policy) check enabled -> Update policy

4. Make the changes you want to the specific rules you want to disable or add new rules you want to include

5. SSH into the server as root user

6. Create the file /etc/BaruwaScanner/baruwa/rules/filename.rules.local with the following contents:

   From:       sender@senderdomain.com /etc/BaruwaScanner/baruwa/rules/sender-name-policy-policy.conf
   

7. Run the command paster update-rulesets to merge your rules

8. Restart the scanner process service baruwascanner restart

9. Run baruwa-logs to check for rule errors.

Create a policy from a sender to a specific recipient

To setup a content protection policy from a sender to a specific recipient, you need to follow the process below.

The example below uses sender@senderdomain.com as the sender and recipient@recipientdomain.com as the recipient. Change these for your specific use case. Wildcards "*" are supported for example *@senderdomain.com or *@recipientdomain.com

1. Login to your server and go to Settings -> Content protection -> File policies.

2. Click clone policy -> change policy name to sender-to-recipient-name-policy or a name of your choice -> Clone policy

3. Click actions (sender-to-recipient-name-policy) check enabled -> Update policy

4. Make the changes you want to the specific rules you want to disable or add new rules you want to include

5. SSH into the server as root user

6. Create the file /etc/BaruwaScanner/baruwa/rules/filename.rules.local with the following contents:

   From:   sender@senderdomain.com and     To:     recipient@recipientdomain.com   /etc/BaruwaScanner/baruwa/rules/sender-to-recipient-name-policy.conf
   

7. Run the command paster update-rulesets to merge your rules

8. Restart the scanner process service baruwascanner restart

9. Run baruwa-logs to check for rule errors.

How do i disable phishing checks for recipient ?

Warning

We strongly recommend that you do NOT disable phishing checks.

Phishing checks prevent your users from being tricked in to clicking illegitimate links that are masquerading as the real thing. Phishing can be used to steal confidential information such as banking details or infect a user with malware.

If you choose to ignore all the warnings above and proceed you can follow the processes below.

To disable phishing you need to use the customization system which requires manual setup via the command line.

1. SSH into the server as root user

2. Create the ruleset file /etc/BaruwaScanner/rules/phishing.checks.rules with the following contents:

   # Default rule do not remove, add rules above this
   FromOrTo:       default         yes
   

3. Set the correct permissions on the file as follows:

   chmod 0644 /etc/BaruwaScanner/rules/phishing.checks.rules
   chown root.root /etc/BaruwaScanner/rules/phishing.checks.rules
   

4. Update the Scanner configuration to use the ruleset file:

   egrep "Find Phishing Fraud\s+=\s+yes" /etc/BaruwaScanner/BaruwaScanner.conf >/dev/null && {
       sed -i -e "s/Find Phishing Fraud\s\+=\s\+yes/Find Phishing Fraud = %rules-dir%\/phishing.checks.rules/" /etc/BaruwaScanner/BaruwaScanner.conf
   }
   

5. You can now proceed to either How do i disable phishing checks for a recipient domain ?, How do i disable phishing checks for a recipient email address ?, How do i disable phishing checks for a sender domain ? or How do i disable phishing checks for a sender email address ?.

How do i disable phishing checks for a recipient domain ?

This example uses example.com as the recipient domain for which phishing checks are being disabled.

1. Complete the process described in How do i disable phishing checks for recipient ?

2. SSH into the server as root user

3. Edit the ruleset file /etc/BaruwaScanner/rules/phishing.checks.rules and add the following above the # Default rule do not remove, add rules above this comment:

   To:       *@example.com         no
   

4. Reload the scanner service service baruwascanner reload

5. Run baruwa-logs to check for rule errors.

How do i disable phishing checks for a recipient email address ?

This example uses user@example.com as the email address for which phishing checks are being disabled.

1. Complete the process described in How do i disable phishing checks for recipient ?

2. SSH into the server as root user

3. Edit the file /etc/BaruwaScanner/rules/phishing.checks.rules and add the following above the # Default rule do not remove, add rules above this comment:

   To:       user@example.com         no
   

4. Reload the scanner service service baruwascanner reload

5. Run baruwa-logs to check for rule errors.

How do i disable phishing checks for a sender domain ?

This example uses example.com as the sender domain for which phishing checks are being disabled. Use this to allow domains to send outbound without phishing checks.

1. Complete the process described in How do i disable phishing checks for recipient ?

2. SSH into the server as root user

3. Edit the ruleset file /etc/BaruwaScanner/rules/phishing.checks.rules and add the following above the # Default rule do not remove, add rules above this comment:

   From:       *@example.com         no
   

4. Reload the scanner service service baruwascanner reload

5. Run baruwa-logs to check for rule errors.

How do i disable phishing checks for a sender email address ?

This example uses user@example.com as the sender email address for which phishing checks are being disabled. Use this to allow email addresses to send outbound without phishing checks.

1. Complete the process described in How do i disable phishing checks for recipient ?

2. SSH into the server as root user

3. Edit the file /etc/BaruwaScanner/rules/phishing.checks.rules and add the following above the # Default rule do not remove, add rules above this comment:

   From:       user@example.com         no
   

4. Reload the scanner service service baruwascanner reload

5. Run baruwa-logs to check for rule errors.

How do i add a default delivery server ?

In Baruwa default delivery servers are called Fallback servers and they can be added to an Organization. Any domain in the Organization which does not have a delivery server configured will use the Fallback servers configured for that organization.

Refer to Fallback servers for more info.

How do i uninstall Baruwa Enterprise Edition ?

Baruwa Enterprise Edition is an operating system not an application, to remove it from your computer system you need to reformat the hard drive and install a different operating system.

How do i remove Baruwa ?

Refer to How do i uninstall Baruwa Enterprise Edition ?

My messages are incorrectly flagged as spam by BAYES_95 or BAYES_99, how do i fix it ?

Messages are flagged with rules BAYES_95 and BAYES_99 when the bayesian system has been taught that similar messages are spam. This could be as a result of users inadvertently marking messages as spam or due to bayes poisoning where spam messages contain normal parts.

To fix this issue you need to reset the bayes database and restart learning. To do so run the following commands:

sa-learn -D --clear
service baruwascanner reload

How do i disable a ClamAV signature ?

You can disable ClamAV signatures by adding them to the local.ign2 file on your server. This file is located in your ClamAV signatures directory /var/lib/clamav.

By default the file does not exist so you will have to create it the first time you add a signature.

To disable the signature Win.Exploit.CVE_2019_0903-6966169-0 for example you can run the following:

cat >> /var/lib/clamav/local.ign2 << 'EOF'
Win.Exploit.CVE_2019_0903-6966169-0
EOF
chmod 0644 /var/lib/clamav/local.ign2
chown clam.clam /var/lib/clamav/local.ign2
service clamd reload

Note

If the signature name contains .UNOFFICIAL you have to remove that part of the name.

My messages match ClamAV signature Heuristics.OLE2.ContainsMacros, how do i allow them through ?

The message contains an attachment that contains macros and you have configured the system to block documents with macros. You can disable blocking of documents containing macros for users, domains or outbound relay clients.

My messages match ClamAV signature Heuristics.Phishing.Email.SpoofedDomain, how do i allow them through ?

This signature matches messages that contain links that are spoofed. For example where the link text says example.com but the actual url is different say urlrewritter.com.

Technically the above is phishing/spoofing but in some cases it may be benign and you want to allow the message through. In those cases you need to add the url to a signature allowed list.

To do that follow the steps below.

1. Create or update the file /var/lib/clamav/local.wdb

2. Add the following line to the file (replace urlrewritter.com with the actual url).:

   X:urlrewritter\.com([/?].*)?:[^/].+([/?].*)?:17-
   

3. Set the correct permissions and ownership as follows.:

   chmod 0640 /var/lib/clamav/local.wdb
   chown clam.clam /var/lib/clamav/local.wdb
   

4. Restart the clamd service:

   service clamd restart
   

How do i identify the spoofed url in an email triggering the Heuristics.Phishing.Email.SpoofedDomain signature ?

Obtain the email in RFC822 format and copy it to your baruwa server and run it through ClamAV as follows:

clamscan --debug spoofed-test-email2.eml

The debug output will contain information on the phish urls identified that trigger the rule.

How do i allow attachments with macros only from specific senders ?

Warning

We strongly recommend that you block emails with attachments that contain macros.

Email attachments which contain documents with macros are the leading means of propagating malware and cryptoware as well as zero day attacks.

If you choose to ignore all the warnings above and proceed you can follow the processes below.

To allow attachments with macros you need to use the customization system which requires manual setup via the command line.

1. SSH into the server as root user

2. Create the ruleset file /etc/BaruwaScanner/baruwa/rules/blockmacros.rules.local

3. Set the correct permissions on the file as follows:

   chmod 0644 /etc/BaruwaScanner/baruwa/rules/blockmacros.rules.local
   chown root.root /etc/BaruwaScanner/baruwa/rules/blockmacros.rules.local
   

How do i allow attachments containing macros from specific sender to a domain ?

This example uses example.com as the recipient domain and example.net as the sender domain for who attachments containing macros are to be allowed.

The first line(4.) disables blocking of attachments containing macros from the sender domain(example.net) to the recipient domain (example.com) while the second line is the catch all which blocks all others.

To allow only a specific sender email address change the *@example.net to sender@example.net. To allow only to a specific recipient email address refer to How do i allow attachments containing macros from specific sender to an email address ?

Note

Only one catch all is required, if it already exists add new rules above it.

1. Complete the process described in How do i allow attachments with macros only from specific senders ? if not yet completed.

2. Login to the web interface and ensure the Block Attachments with Macros option is turned off for the domain example.com. This ensures that the email is not rejected at SMTP time

3. SSH into the server as root user

4. Edit the ruleset file /etc/BaruwaScanner/baruwa/rules/blockmacros.rules.local and add the following at the top:

   From:       *@example.net       and To: *@example.com   no
   FromOrTo:   *@example.com       yes
   

5. Run the command to update the rulesets paster update-rulesets

6. Reload the scanner service service baruwascanner reload

7. Run baruwa-logs to check for rule errors.

How do i allow attachments containing macros from specific sender to an email address ?

This example uses recipient@example.com as the recipient email address and sender@example.net as the sender email address for who attachments containing macros are to be allowed.

The first line(4.) disables blocking of attachments containing macros from the sender email address (sender@example.net) to the recipient email address(recipient@example.com) while the second line is the catch all which blocks all others.

To allow from the whole sender domain change sender@example.net to *@example.net. To allow to the whole recipient domain refer to How do i allow attachments containing macros from specific sender to a domain ?.

Note

Only one catch all is required, if it already exists add new rules above it.

1. Complete the process described in How do i allow attachments with macros only from specific senders ? if not yet completed.

2. Login to the web interface and ensure the Block Attachments with Macros option is turned off for the user with email address recipient@example.com. This ensures that the email is not rejected at SMTP time

3. SSH into the server as root user

4. Edit the ruleset file /etc/BaruwaScanner/baruwa/rules/blockmacros.rules.local and add the following at the top:

   From:       sender@example.net       and To: recipient@example.com   no
   FromOrTo:   *@example.com       yes
   

5. Run the command to update the rulesets paster update-rulesets

6. Reload the scanner service service baruwascanner reload

7. Run baruwa-logs to check for rule errors.

Baruwa is rejecting messages at SMTP time but i would like the messages available in the interface

To prevent messages from being rejected at SMTP time, you need to turn off the Enable SMTP Time Rejection option in baruwa-setup.

I want all messages logged regardless of status, what do i do ?

You need to turn off the Enable SMTP Time Rejection option in baruwa-setup.

How do i recover the rabbitmq cluster after a power failure takes down all nodes ?

It is recommended that backend cluster members are located in different locations to prevent power failures taking down the whole cluster. How ever due to various reasons some users do not implement their clusters this way.

In cases where all cluster members go down without proper shutdown such as in event of a power failure the rabbitmq service does not startup when the cluster is brought up.

To get the cluster to startup you need to run the following command on one of the cluster members preferably the bootstrap server.:

rabbitmqctl force_boot
service rabbitmq-server start

Once you have confirmed that this server is up and running you can then start up the other servers.

How do i sync a database cluster member that has fallen behind ?

In most cases members of a cluster that have short downtime periods automatically catch up when brought back up. But in cases with high database traffic this may not be the case.

The easiest way to get the member back up and running is to reinit it as follows.:

service patroni stop
rm -rvf /var/lib/pgsql/10/data/*
service patroni start

The server will copy all the required data from the current master and join the cluster. You can then confirm that there is no more lag using the patronictl list command.

How do i fix repackdb errors ?

Standalone

Run the following commands.:

source /etc/sysconfig/BaruwaScanner
psql -Upostgres -h${dbhost} -p${dbport} ${dbname} -c "DROP EXTENSION pg_repack CASCADE"
baruwa-setup -c -n

Cluster

Run the following commands on a node (One node).:

source /etc/sysconfig/BaruwaScanner
psql -Upostgres -h${dbhost} -p${dbport} ${dbname} -c "DROP EXTENSION pg_repack CASCADE"

Run the following commands on the backend.:

baruwa-setup -c -n

How do i reindex the search index ?

Standalone

Run the following commands.:

service searchd stop
rm -rvf /var/lib/manticore/*
indexer --all
service searchd start

Cluster

Run the following commands on the backend or indexer:

service searchd stop
rm -rvf /var/lib/manticore/*
indexer --all
service searchd start

Help my inbound queue is building up, what should i do ?

The buildup of the inbound queue and the subsequent slow processing of messages is usually due to the following:

• Blocked or slow Network IO
• Slow Disk IO
• Insufficient system resources

Blocked or slow Network IO

In most cases this is due to incorrectly configured firewalls or network gateways not allowing the required traffic out or the replies back in.

To resolve this ensure that all required traffic is allowed unfiltered. The traffic that should be allowed is documented in the planning section.

Some firewalls and network gateways have features such as inspection, fixups and ratelimiting which intercept and delay network traffic, ensure these are turned off for the hosts in question.

Slow Disk IO

This can lead to the system failing to keep up with the number of messages it is scanning ensure you have good quality disk IO especially if you are on virtual servers. For physical servers ensure you have good quality disks and efficient bus hardware.

Insufficient system resources

This will cause issues with efficient message processing as well. Ensure you have sufficient RAM and CPU resources for the amount of mail you are processing. In virtual environments software CPU’s will cause more harm than good. Ensure that the CPU’s assigned to the guest are backed by actual physical CPU’s.

How do i enable remote technical support access ?

We use SSH Keys to access your system, need to install our ssh key below to the authorized_keys file of the account you want us to access. We require access to accounts with root privileges either as root directly or via an account with sudo access to root.

You can restrict access on your firewall to our remote support system: support.baruwa.com (84.200.48.209)

SSH KEY

# == start key
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC86+4YcvrDXdBFkrxtQnNGNXJ8ccqcbecs//qw8B/ltwLvLL0VXeS0m1dimlzw4gXz4U4q+ZxFBzMPJgje5JnFFa75PaYDTwJ/ZQeE/j85uEVJB4WFXFbqMbFUBYFP13y3HLVQ/eaX+OdPnRlyJU03pwgPo9kSnaO4x7aJyM9WiFLSQW/WB6n7nJtHqLXAqYrpjLL3ivR9icr04Zmql6+wU3fWRAWr4Mu4UcKh5ko4SsZk+DzbhSUnQ8IuCzOU39j3tx2Xbvm0rRCYZjje0jrjPiX88Dpk2C3CWBTU8tawssEZ7g1zc0a0wUGeBiTYKlXGSpy5hCNK725mQtvxeAZ/fbN87CFdC1UWyxExVSgiKJJu8Fmmp95QJGRfb+dmBGLcfsakaBvPtE2IE50uiMpb/iziTYr9hhJuXtnn8lJFlNGlxDurjvKj6BZ/wbmupYe4mkMt/JJFzgD9ZLsM1/ph66a8u1U0pz1cd/tZUsMrjQ5E5cKd4VPX+9DMgZugzXU0HA0CrsAm4eU7ukNbhA3u1MR12NYO4v+ytS/VtWWMBninlHABlE5A34E0FSUU9lNdSAG9k7diiX096m4WOPtahTec9QML7AZ7CXVA0FlRSEbMREiUFKEPpb5YP0owAkAsdmFKCmfG4FbBs8tCRouY/pcdi4GjgudLxN8QRiqKUQ== enterprise-support@support.baruwa.com
# == end key

How do i get a Maxmind Account ID and License Key ?

As of 30th Dec 2019 Maxmind requires an Account ID and a License Key to access the free GeoIP databases. Please refer to this post on their blog.

How do i fix geoipupdate error “Your account ID or license key is invalid” ?

Update your system, then set the Maxmind Account ID and License Key settings in baruwa-setup.

How do i fix baruwa-setup error “Service searchd is already enabled, and is dead” ?

Check the manticore log file /var/log/manticore/searchd.log. If you find the following error FATAL: invalid meta file /var/lib/manticore/binlog.meta, you need to remove the bin logs and restart the service as follows:

rm -vf /var/lib/manticore/binlog.*
service searchd start

You can then run baruwa-setup again and it should complete successfully.

How do i fix baruwa-setup error “augeas.change[baruwa-update-maxminddb-conf] failed => Error: Unable to save to file!” ?

That error is caused by missing/unset MaxMind Settings.

In a cluster you need to run baruwa-setup without options and set the backend MaxMind Settings or the database MaxMind Settings. On successfully completion of the baruwa-setup command you need to rerun it on the other cluster members to allow them to pick up the MaxMind Settings from the backend.

On a standalone system you need to run baruwa-setup without options and set the MaxMind Settings.

How do i fix baruwa-setup error “cmd.run[baruwascanner-initial-baruwa-sa-update] │ failed => Command “sa-update –gpgkey 70F416A6 –channel saupdate.baruwa.com”” ?

This error is caused by an incorrectly configured IPv6 network. DNS queries sent over this IPv6 network are not resolving.

The fix is to run all queries over the IPv4 network. To do so override your DNS cache server configuration as follows:

echo "do-ip6: no" >> /etc/unbound/local.d/overrides.conf
service unbound restart

You can then run baruwa-setup again.

How do i fix freshclam error “initialize: libfreshclam init failed” ?

This error occurs when there is a stuck freshclam process that prevents newer processes for locking the log file and then executing.

To fix this you need to kill the freshclam process that is stuck.

You can ran the following commands as the root user via the commandline:

for pid in $(pgrep freshclam); do
    kill -9 "${pid}"
done

That should kill the process, allowing for new processes to run.