Technical Faqs

Answers to many common technical questions.

How do i request a new feature ?

Answer: Use the issue tracker

Open a feature request on the issue tracker

How do i report a non security bug ?

Answer: Use the issue tracker

Open a bug report on the issue tracker

How do i report a security bug ?

Answer: Email security@baruwa.com

If you think you’ve found a security vulnerability with Baruwa, please send a message to security@baruwa.com. Do NOT post a bug report to our issue tracking system or disclose the issue on our mailing lists.

How do i disable TLS 1.0 on SMTP port 587 and 465 ?

To disable TLS 1.0 for SMTP ports 587 and 465 you need to run the following commands:

GNUTLS_CIPHERS="SECURE256:+SECURE128:-VERS-SSL3.0:-VERS-TLS1.0:-MD5:-ARCFOUR-128:-ARCFOUR-40:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC:%SERVER_PRECEDENCE"
echo "GNUTLS_CIPHERS      == ${GNUTLS_CIPHERS}" >> /etc/exim/macros.conf.local
service mailscanner restart

How do i tailor Baruwa Enterprise Edition to my specific needs ?

Refer to the Customization section.

Can i manage Baruwa Enterprise Edition servers without using baruwa-setup ?

Answer: Yes

Yes you can, you can choose to do the configuration manually or using a configuration management too. SaltStack can be used easily as we provide salt states which are used by baruwa-setup in the background. You could also convert this states to a different configuration management tool.

How do i rebrand Baruwa Enterprise Edition servers ?

Refer to the Themes section, note that if you would like to remove the powered by notices you need to purchase a branding license.

Where can i download rpm or deb packages to install on my system ?

We no longer provide packages, the solution is now packaged as a custom OS.

What are the settings i should use to configure LDAP/AD ?

The short answer is if you are asking, you probably should not be using LDAP/AD as you could inadvertently open yourself up to security holes.

The long answer is all LDAP directories are not setup in the same way, so there is no one size fits all configuration we can provide.

It is advisable you create an account with very limited privileges in the directory to use for the LDAP operations and bind as that account.

The following are common configurations that you could attempt.

Setting Description Active Directory OpenLDAP
Base DN The location within the directory to start searching dc=domain,dc=com dc=domain,dc=com
Username Attribute The directory attribute in which the username is stored samAccountName, userPrincipalName uid
Email attribute The directory attribute in which the email address is stored mail mail
Bind DN The DN to bind as to perform operations cn=Administrator,cn=users,dc=domain,dc=com, Administrator@domain.com cn=root,dc=domain,dc=com
Bind password The password for the Bind DN    
Use TLS Use the STARTTLS option    
Search for userDN Search for the userDN to bind to Yes in most cases No in most cases
Email Search Filter The filter used to locate email addresses in an entry (|(proxyAddresses=SMTP:%u@%d) (proxyAddress=smtp:%u@%d)(mail=%u@%d)) mail=%u@%d

The web interface is slow, what could cause this ?

The web inferface may slow down due to a range of issues:

  1. Insufficient system resources
  2. Insufficient network capacity
  3. Incorrectly configured IPv6 network

Insufficient system resources

Check our system and ensure you have enough system resources to handle the amount of web and smtp traffic your system processes.

Insufficient network capacity

Check your network capacity and ensure it is sufficient to handle the amount of network traffic inbound and outbound from your system.

Incorrectly configured IPv6 network

Due to the fact that IPv6 is not widely deployed most networks do not handle IPv6 traffic as well as they do with IPv4.

Disabling IPv6 on your non loopback interfaces can improve the web interface performance by large margins.

You can disable IPv6 on a non loopback interface by setting the variable IPV6INIT in the the interface configuration file under /etc/sysconfig/network-scripts/ to no and then restarting the network service.

Note

Do not disable IPv6 globally or on the loopback interface lo as that is required for message queue service.

Which MTA does Baruwa Enterprise use ?

Answer: Exim

Baruwa Enterprise uses a customized version of the Exim MTA

SMTP AUTH on port 25 no longer works, why ?

SMTP AUTH is no longer offered on port 25 starting with BaruwaOS 6.7.4. The reason for this is documented in the release notes at SMTP Authentication

How do i allow attachments blocked by content protection through ?

You can clone the default built in content protection ruleset and then you can disable or alter the rule that is blocking the file. You can then either assign your new custom ruleset to either the domain in question or globally if you want the change across the system.

More information on what content protection is and how to manage it is available in the following sections of the documentation

How do i create a content protection policy for a sender ?

The content protection policies that are managed via the web interface can be assigned to domains or globally. This means that the policy will apply to all senders to the recipient domain in case of assignment to a domain or all senders to all domains in case of global assignment.

To set a granualer content protection policy you need to use the customization system which requires manual setup via the command line.

Create a policy from a sender to all recipients

To setup a content protection policy for a sender you need to follow the process below.

The example below uses sender@senderdomain.com as the sender we are configuring the policy for, change this to your specific sender. Wildcards "*" can be used as well for example *@senderdomain.com.

  1. Login to your server and go to Settings -> Content protection -> File policies.

  2. Click clone policy -> change policy name to sender-name-policy or a name of your choice -> Clone policy

  3. Click actions (sender-name-policy) check enabled -> Update policy

  4. Make the changes you want to the specific rules you want to disable or add new rules you want to include

  5. SSH into the server as root user

  6. Create the file /etc/MailScanner/baruwa/rules/filename.rules.local with the following contents:

    From:       sender@senderdomain.com /etc/MailScanner/baruwa/rules/sender-name-policy-policy.conf
    
  7. Run the command paster update-rulesets to merge your rules

  8. Restart the scanner process service mailscanner restart

  9. Run baruwa-logs to check for rule errors.

Create a policy from a sender to a specific recipient

To setup a content protection policy from a sender to a specific recipient, you need to follow the process below.

The example below uses sender@senderdomain.com as the sender and recipient@recipientdomain.com as the recipient. Change these for your specific use case. Wildcards "*" are supported for example *@senderdomain.com or *@recipientdomain.com

  1. Login to your server and go to Settings -> Content protection -> File policies.

  2. Click clone policy -> change policy name to sender-to-recipient-name-policy or a name of your choice -> Clone policy

  3. Click actions (sender-to-recipient-name-policy) check enabled -> Update policy

  4. Make the changes you want to the specific rules you want to disable or add new rules you want to include

  5. SSH into the server as root user

  6. Create the file /etc/MailScanner/baruwa/rules/filename.rules.local with the following contents:

    From:   sender@senderdomain.com and     To:     recipient@recipientdomain.com   /etc/MailScanner/baruwa/rules/sender-to-recipient-name-policy.conf
    
  7. Run the command paster update-rulesets to merge your rules

  8. Restart the scanner process service mailscanner restart

  9. Run baruwa-logs to check for rule errors.

How do i add a default delivery server ?

In Baruwa default delivery servers are called Fallback servers and they can be added to an Organization. Any domain in the Organization which does not have a delivery server configured will use the Fallback servers configured for that organization.

Refer to Fallback servers for more info.

How do i uninstall Baruwa Enterprise Edition ?

Baruwa Enterprise Edition is an operating system not an application, to remove it from your computer system you need to reformat the hard drive and install a different operating system.

How do i remove Baruwa ?

Refer to How do i uninstall Baruwa Enterprise Edition ?

How do i disable a ClamAV signature ?

You can disable ClamAV signatures by adding them to the local.ign2 file on your server. This file is located in your ClamAV signatures directory /var/lib/clamav.

By default the file does not exist so you will have to create it the first time you add a signature.

To disable the signature Win.Exploit.CVE_2019_0903-6966169-0 for example you can run the following:

cat >> /var/lib/clamav/local.ign2 << 'EOF'
Win.Exploit.CVE_2019_0903-6966169-0
EOF
chmod 0644 /var/lib/clamav/local.ign2
chown clam.clam /var/lib/clamav/local.ign2
service clamd reload

My messages match ClamAV signature Heuristics.OLE2.ContainsMacros, how do i allow them through ?

The message contains an attachment that contains macros and you have configured the system to block documents with macros. You can disable blocking of documents containing macros for users, domains or outbound relay clients.

Baruwa is rejecting messages at SMTP time but i would like the messages available in the interface

To prevent messages from being rejected at SMTP time, you need to turn off the Enable SMTP Time Rejection option in baruwa-setup.

I want all messages logged regardless of status, what do i do ?

You need to turn off the Enable SMTP Time Rejection option in baruwa-setup.

How do i recover the rabbitmq cluster after a power failure takes down all nodes ?

It is recommended that backend cluster members are located in different locations to prevent power failures taking down the whole cluster. How ever due to various reasons some users do not implement their clusters this way.

In cases where all cluster members go down without proper shutdown such as in event of a power failure the rabbitmq service does not startup when the cluster is brought up.

To get the cluster to startup you need to run the following command on one of the cluster members preferably the bootstrap server.:

rabbitmqctl force_boot
service rabbitmq-server start

Once you have confirmed that this server is up and running you can then start up the other servers.

How do i sync a database cluster member that has fallen behind ?

In most cases members of a cluster that have short downtime periods automatically catch up when brought back up. But in cases with high database traffic this may not be the case.

The easiest way to get the member back up and running is to reinit it as follows.:

service patroni stop
rm -rvf /var/lib/pgsql/10/data/*
service patroni start

The server will copy all the required data from the current master and join the cluster. You can then confirm that there is no more lag using the patronictl list command.

How do i enable remote technical support access ?

We use SSH Keys to access your system, need to install our ssh key below to the authorized_keys file of the account you want us to access. We require access to accounts with root privileges either as root directly or via an account with sudo access to root.

You can restrict access on your firewall to our remote support system: support.baruwa.com (84.200.48.209)

SSH KEY

# == start key
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC86+4YcvrDXdBFkrxtQnNGNXJ8ccqcbecs//qw8B/ltwLvLL0VXeS0m1dimlzw4gXz4U4q+ZxFBzMPJgje5JnFFa75PaYDTwJ/ZQeE/j85uEVJB4WFXFbqMbFUBYFP13y3HLVQ/eaX+OdPnRlyJU03pwgPo9kSnaO4x7aJyM9WiFLSQW/WB6n7nJtHqLXAqYrpjLL3ivR9icr04Zmql6+wU3fWRAWr4Mu4UcKh5ko4SsZk+DzbhSUnQ8IuCzOU39j3tx2Xbvm0rRCYZjje0jrjPiX88Dpk2C3CWBTU8tawssEZ7g1zc0a0wUGeBiTYKlXGSpy5hCNK725mQtvxeAZ/fbN87CFdC1UWyxExVSgiKJJu8Fmmp95QJGRfb+dmBGLcfsakaBvPtE2IE50uiMpb/iziTYr9hhJuXtnn8lJFlNGlxDurjvKj6BZ/wbmupYe4mkMt/JJFzgD9ZLsM1/ph66a8u1U0pz1cd/tZUsMrjQ5E5cKd4VPX+9DMgZugzXU0HA0CrsAm4eU7ukNbhA3u1MR12NYO4v+ytS/VtWWMBninlHABlE5A34E0FSUU9lNdSAG9k7diiX096m4WOPtahTec9QML7AZ7CXVA0FlRSEbMREiUFKEPpb5YP0owAkAsdmFKCmfG4FbBs8tCRouY/pcdi4GjgudLxN8QRiqKUQ== enterprise-support@support.baruwa.com
# == end key