Backend Systems subscriptions
Beginning with BaruwaOS
6.7.4 backend systems will require a
subscription. Existing systems installed prior to
6.7.4 being released
are exempt from this requirement.
The configuration on
Standalone profiles has been simplified, there are
fewer screens and most of the credentials are now generated automatically.
This will reduce the human factor errors and improve security as strong credentials are now generated automatically.
Built in Cache
A new built in caching mechanism has been added that allows for replacement of the current memcached solution.
The built in cache is the default cache on new
and can also be used on the
Web and Mail System and the
Web Interface System profiles.
In a clustered setup port 11211 needs to be allowed inbound to the system, this port is used by the nodes in a cluster to replicate cache data.
The memcached cache can still be used, the
Enable Memcache option on
Management Other Settings screen of the baruwa-setup utility
can be used to enable or disable memcached.
This option is important for enviroments where memcached errors are frequent.
A loose cluster master system has been introduced, nodes in a cluster can now elect a leader node.
The leader node is the node that performs tasks that must only be carried out by one system with in the cluster at a time like sending of reports or cleaning up the quarantine.
The cluster traffic used to elect the leader node is sent on port 3542, this port needs to be allowed on firewalls between the nodes in both directions.
The cluster leader elections only take place on
Web and Mail System
The other systems use a distributed locking system to ensure that tasks are executed by only one server in a cluster.
The data import system has been overhauled. The previous system was unable to import all the data required to setup fully functional systems.
The new system uses the YAML format to import organizations, relay settings, domain administrators, domains, domain aliases, delivery servers, authentication servers and user accounts.
It is also possible to import just domains or accounts into an existing organization or domain respectively.
The old system that used CSV files has been removed.
The data export system has been overhauled. The previous system was unable to export all the setup data.
The new system exports data in the YAML format and includes almost all the configuration data on the system.
Organizations can be exported and will include all the data within the organization which includes relay settings, domain administrators, domains, domain aliases, delivery servers, authentication servers, lists, signatures, dkim settings and user accounts.
It is also possible to export domains and accounts with the data contained in those containers.
Passwords are not part of the data export. The password entries will be blank in any export.
The old system that exported data to CSV files has been removed.
Web and Mail System profiles, scheduled tasks are
now run using the uWSGI system not the traditional cron system.
This integrates with the Cluster Master system to ensure that tasks are run by only one node in a cluster.
Web and Mail System profiles backend tasks are
now run using the uWSGI system, the standalone Baruwa service is no longer
required or installed.
Mail System profiles which do not run the uWSGI system a baruwa-service
package is installed this provides the standalone Baruwa service.
Backend Traffic Encryption
It is now possible to encrypt all traffic between backend and front end nodes and between the backend nodes themselves.
Encrypt all backend traffic option works by installing a TLS tunneling
service which will encrypt connections from the source and decrypt them at the
destination for the specific application streams.
Encrypt all backend traffic option can also be used on LAN to thwart
capturing of data by sniffing of packets on a LAN.
The authentication of certificates takes place using certificate pinning, this means you have to copy the servers certificate to the client.
On the server side the certificate file contains both the private key and the certificate do NOT copy the whole file to the client only copy the certificate, to extract the certificate run the following command on the server.:
openssl x509 -in /etc/pki/baruwa/certs/$(hostname).pem
On the client side the certificates need to be stored in
_IPADDRESS_ is the IP address of the server configured in the baruwa-setup utility
Encrypt all backend traffic option must be configured on all systems
in the cluster both front end and backend for the cluster to function correctly.
SMTP TLS Ciphers
Previously only strong ciphers were allowed on all SMTP connections, to allow
for increased interoperability with other systems this has been changed to
normal ciphers on port
Please refer to SMTP Authentication for the impact of this change.
Additional Anti Virus Engines
This release supports more additional Anti Virus Engines in addition to the built in ClamAV engine. The supported engines are documented in the Additional Anti Virus Engines section.
SNMP monitoring is now supported. It is documented in the SNMP section.
HTTP Proxy Protocol Support
The HTTP service now supports the Proxy Protocol, meaning Baruwa web services can now be placed behind load balancers that support the Proxy Protocol such as HAProxy and Amazon ELB. The proxy protocol makes the actual client IP address visible to the Baruwa service instead of having all requests appear like they came from the load balancer.
The SMTP service already supports the Proxy Protocol.
HTTP Log to Syslog
The HTTP service now supports the option to log to syslog. Using syslog the logs can be aggregated and processed.
The SMTP service already supports logging to syslog.
Added support for get domain by name
The following additional ports are now used.
|11211||UDP||BETWEEN NODES||CACHE SYNC TRAFFIC|
|3542||UDP||BETWEEN NODES||CLUSTER TRAFFIC|
SMTP Authentication on port
25 is no longer supported due to the SMTP TLS Ciphers
change. SMTP AUTH is now only offered on ports
587 which still require strong
Relay settings configurations that use port
25 will need to be updated.
The Puppet configuration management system has been removed from BaruwaOS. The only supported configuration engine is now Salt.
It is still possible to import puppet manifests as part of the upgrade.
Standalone profiles memcached has been depreciated, the Built in Cache
system is now the default.
Messages that fail DKIM checks will no longer be blocked at SMTP time.
Importing of domains and accounts from CSV files is no longer supported. The CSV system has been replaced by the YAML Imports system.
Exporting of domains and accounts to CSV files is no longer supported. The CSV system has been replaced by the YAML Exports system.
ERROR: Pidfile (/var/run/baruwa/celeryd/celeryd.pid) already exists.
If you see the above error in you logs run the following command:
kill `cat /var/run/baruwa/celeryd/celeryd.pid` rm -vf /var/run/baruwa/celeryd/celeryd.pid
Service clamd is already enabled, and is dead
failed to open DB file /var/spool/exim.in/db/retry: Permission denied (euid=93 egid=93)
If you see the above error in you logs run the following command:
chown exim.exim /var/spool/exim.in/db/retry