Manual Installation
Step 1: Installation requirements
You need a valid Baruwa enterprise subscription, which provides you with a server entitlement as well as an activation key to activate the entitlement.
Enable the EPEL repository
The EPEL repository is a volunteer-based community effort from the Fedora project to create a repository of high-quality add-on packages for Red Hat Enterprise (RHEL) and its compatible spinoffs such as CentOS, Oracle Enterprise Linux or Scientific Linux. You can find more details on EPEL including how to add it to your host at http://fedoraproject.org/wiki/EPEL and http://fedoraproject.org/wiki/EPEL/FAQ#howtouse.
You need to enable this repo in order to access required packages:
rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
Install Spacewalk client packages
Baruwa Enterprise Edition entitlements are managed by the Baruwa Network. The Baruwa Network uses the Spacewalk server to manage entitlements. In order to access the Baruwa Enterprise Edition repository you need to install the Spacewalk client tools. These tools are provided by the Spacewalk project via a yum repository which you need to enable:
rpm -Uvh http://yum.spacewalkproject.org/1.9/RHEL/6/x86_64/spacewalk-client-repo-1.9-1.el6.noarch.rpm
Having enabled the Spacewalk repository you can now install the Spacewalk client packages:
yum install rhn-client-tools rhn-check rhn-setup rhnsd m2crypto yum-rhn-plugin -y
Install Baruwa signing keys
The packages in the Baruwa Centos/RHEL/SL enterprise repository are cryptographically signed using GPG keys. The package containing these GPG keys needs to be manually installed before continuing to the next step:
rpm -Uvh https://www.baruwa.com/downloads/baruwa-enterprise-release-6-2.noarch.rpm
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-BARUWA-ENTERPRISE-6
Activate Entitlement
The Baruwa Centos/RHEL/SL enterprise repository is available to subscribers only. To install from this repo you need to activate the entitlement for the server that you are installing.
The server entitlement activation key is emailed to you when you purchase a subscription. Use the activation key to register your server with the Baruwa Network using the command below:
rhnreg_ks --serverUrl=https://bn.baruwa.com/XMLRPC --activationkey=<activation-key>
Install Caching DNS server
You need to use a local caching DNS server to improve the performance of various checks:
yum install bind
chkconfig --level 3 named on
service named start
Then make sure that the system uses this DNS server:
cat > /etc/resolv.conf << 'EOF'
nameserver 127.0.0.1
EOF
Note
Do NOT use public DNS servers such as Google DNS, OpenDNS or your ISP’s servers if you do, your DNSBL checks will get the a _BLOCKED response http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information.
Step 2: Upgrade all existing packages
Install any available system updates:
yum upgrade -y
Step 3: Install and configure supporting packages
Step 3a: PostgreSQL
This is the database backend used by Baruwa to store data. You only have to install the server if you are going to run the database on the system system as Baruwa:
yum install postgresql-server postgresql-plpython -y
We now need to set a password on the postgresql postgres admin account, we use the password strongPgP4ss change this for your environment.:
chown postgres.postgres /var/lib/pgsql
echo "strongPgP4ss" > /tmp/ps
su postgres -c "/usr/bin/initdb /var/lib/pgsql/data --auth='password' --pwfile=/tmp/ps -E UTF8"
rm -rf /tmp/ps
You now need to configure the authentication settings on your postgresql server, edit your pg_hba.conf file and change the entries to the following:
cat > /var/lib/pgsql/data/pg_hba.conf << 'EOF'
# TYPE DATABASE USER CIDR-ADDRESS METHOD
local all all md5
host all all 127.0.0.1/32 md5
host all all ::1/128 md5
EOF
Configure the server to use the UTC timezone as the default timezone:
sed -e "s/^#timezone = \(.*\)$/timezone = 'UTC'/" -i /var/lib/pgsql/data/postgresql.conf
Restart the service for the configuration changes to take effect:
service postgresql restart
With the server now started you can proceed to configuration. Here we will create a Baruwa postgresql database user account as well as a database to store Baruwa data.
We’re going to assume that the database is called baruwa, the postgresql user is called baruwa, and the password is password.
Create the Baruwa database user:
psql -Upostgres postgres -c "CREATE ROLE baruwa WITH LOGIN PASSWORD 'password';"
Create the database:
createdb -U postgres -E UTF8 -O baruwa -T template1 baruwa
Baruwa uses functions written in the plpgsql and plpythonu procedural languages. Enable these languages in the db:
psql -U postgres baruwa -c "CREATE LANGUAGE plpgsql;"
psql -U postgres baruwa -c "CREATE LANGUAGE plpythonu;"
We’re going to assume that the Bayes user is called bayes, and the password is password.
Create the Bayes database user:
psql -Upostgres postgres -c "CREATE ROLE bayes WITH LOGIN PASSWORD 'password';"
Create the SQL Auto Whitelisting Tables:
cat > /tmp/awl.sql << 'EOF'
CREATE TABLE awl (
username varchar(100) NOT NULL default '',
email varchar(255) NOT NULL default '',
ip varchar(40) NOT NULL default '',
count bigint NOT NULL default '0',
totscore float NOT NULL default '0',
signedby varchar(255) NOT NULL default '',
timestamp timestamp with time zone default timezone('utc'::text, now()),
PRIMARY KEY (username,email,signedby,ip)
);
SQL
psql -Ubaruwa baruwa -f /tmp/awl.sql
rm -f /tmp/awl.sql
Create the SQL Bayes tables, using the Bayes SQL dump provided, Paste the contents into /tmp/bayes.sql then run the following commands:
psql -Ubaruwa baruwa -f /tmp/bayes.sql
rm -f /tmp/bayes.sql
Grant the bayes user access to the bayes tables:
cat > /tmp/grants.sql << 'EOF'
GRANT SELECT, UPDATE, DELETE, INSERT ON TABLE bayes_token TO bayes;
GRANT SELECT, UPDATE, DELETE, INSERT ON TABLE bayes_vars TO bayes;
GRANT SELECT, DELETE, INSERT ON TABLE bayes_seen TO bayes;
GRANT SELECT, DELETE, INSERT ON TABLE bayes_expire TO bayes;
GRANT SELECT ON TABLE bayes_global_vars TO bayes;
GRANT UPDATE, SELECT, INSERT ON bayes_vars_id_seq TO bayes;
GRANT SELECT, UPDATE, DELETE, INSERT ON TABLE awl TO bayes;
EOF
psql -Upostgres baruwa -f /tmp/grants.sql
rm -f /tmp/grants.sql
Step 3b: RabbitMQ
The RabbitMQ server is used as the message broker to handle the processing on backend tasks such as releasing messages, reading queues and providing host status information.
Run the following commands to install and start RabbitMQ on your system.:
yum install rabbitmq-server -y
service rabbitmq-server start
Now create a virtual host and a RabbitMQ user to be used by Baruwa.
We’re going to assume that the virtual host is called baruwa, the RabbitMQ user is called baruwa, and the password is mysecretpwd.
Create the user account, the virtual host and give the user permissions on the virtual host:
rabbitmqctl add_user baruwa mysecretpwd
rabbitmqctl add_vhost baruwa
rabbitmqctl set_permissions -p baruwa baruwa ".*" ".*" ".*"
Remove the guest user:
rabbitmqctl delete_user guest
Step 3c: Sphinx
The Sphinx search server provides fast indexed search results to queries submitted via Baruwa.
Run the following commands to install and start sphinx on your system:
yum install sphinx
Create a /etc/sphinx/sphinx.conf using the provided sample sphinx.conf
Set the required database settings:
sed -i -e 's:sql_host =:sql_host = 127.0.0.1:' \
-e 's:sql_user =:sql_user = baruwa:' \
-e 's:sql_pass =:sql_pass = password:' \
-e 's:sql_db =:sql_db = baruwa:' /etc/sphinx/sphinx.conf
Start the Sphinx server:
service searchd restart
chkconfig --level 3 searchd on
Step 3d: Memcached
Memcached is used to cache data and alleviate the load on the database backend as well as store sessions:
yum install memcached -y
service memcached start
chkconfig --level 3 memcached on
Step 3e: MailScanner
MailScanner is the integrated engine that performs the various checks used to identify and classify spam and various threats.
Baruwa manages the MailScanner configuration by storing the configurations in the PostgreSQL Database. MailScanner signatures can also be managed using Baruwa for both domains and individual users.
Install MailScanner:
yum install mailscanner clamd clamav clamav-unofficial-sigs -y
Create the following configuration files based on the samples provided.
- /etc/MailScanner/MailScanner.conf - MailScanner.conf
- /etc/exim/exim.conf - exim.conf
- /etc/exim/exim_out.conf - exim_out.conf
- /etc/exim/macros.conf - macros.conf
- /etc/exim4/trusted_configs - trusted_configs
- /etc/MailScanner/spam.assassin.prefs.conf - spam.assassin.prefs.conf
- /etc/cron.hourly/baruwa-clean-eximdb - baruwa-clean-eximdb,
- /etc/MailScanner/rules/filename.rules - filename.rules,
- /etc/MailScanner/rules/filetype.rules - filetype.rules,
- /etc/MailScanner/filetype.rules.allowall.conf - filetype.rules.allowall.conf,
- /etc/MailScanner/filename.rules.allowall.conf - filename.rules.allowall.conf,
- /etc/MailScanner/rules/content.scanning.rules - content.scanning.rules
- /etc/MailScanner/rules/scan.messages.rules - scan.messages.rules
- /etc/MailScanner/rules/nonspam.actions.rules - nonspam.actions.rules
- /etc/mail/spamassassin/baruwa.cf - baruwa.cf
- /etc/mail/spamassassin/sem.cf - sem.cf
- /etc/clamd.conf - clamd.conf
- /etc/freshclam.conf - freshclam.conf
Add the ClamAV user to the exim group:
usermod -G exim clamav
Create the exim spool directories and settings files:
touch /etc/exim4/{non-tls-hosts,remove-headers,blocked-subjects,skip_dnsbl,skip_dkim,skip_av_checks,allow_empty_replyto}
mkdir -p /var/spool/exim4.in/{db,input,msglog,scan}
chown -R exim.exim /var/spool/exim4.in
chmod 0750 -R /var/spool/exim4.in
Create the file command wrapper /usr/local/bin/file-wrapper:
cat > /usr/local/bin/file-wrapper << 'EOF'
#!/bin/bash
#
# Wrap the file command
/usr/bin/file -i "$1"
EOF
chmod +x /usr/local/bin/file-wrapper
Update the Spamassassin local configuration:
rm -f /etc/mail/spamassassin/local.cf
ln -s /etc/MailScanner/spam.assassin.prefs.conf /etc/mail/spamassassin/local.cf
Install extra Spamassassin plugins:
yum install spamassassin-plugin-iXhash spamassassin-plugin-decodeshorturls -y
Create the KAM cronjob, using the KAM.cron provided, Paste the contents into /etc/cron.daily/kam and then make it executable:
chmod +x /etc/cron.daily/kam
Enable Spamassassin rulesets updates:
sa-update --import /etc/mail/spamassassin/channel.d/sought.conf
sa-update --import /etc/mail/spamassassin/channel.d/spamassassin-official.conf
cat > /etc/sysconfig/update_spamassassin << 'EOF'
SAUPDATEARGS="-D --gpgkey 6C6191E3 --channel sought.rules.yerp.org --channel updates.spamassassin.org"
EOF
Enable required Spamassassin plugins:
yum install perl-IP-Country re2c gcc make -y
v310file = "/etc/mail/spamassassin/v310.pre"
v320file = "/etc/mail/spamassassin/v320.pre"
initfile = "/etc/mail/spamassassin/init.pre"
sed -i -e "s/^#loadplugin Mail::SpamAssassin::Plugin::AWL/loadplugin Mail::SpamAssassin::Plugin::AWL/" $v310file
sed -i -e "s/^# loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody/loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody/" $v320file
sed -i -e "s/^# loadplugin Mail::SpamAssassin::Plugin::Shortcircuit/loadplugin Mail::SpamAssassin::Plugin::Shortcircuit/" $v320file
sed -i -e "s/# loadplugin Mail::SpamAssassin::Plugin::RelayCountry/loadplugin Mail::SpamAssassin::Plugin::RelayCountry/" $initfile
Install Spamassassin addons:
yum install perl-Razor-Agent pyzor dcc-client
mkdir /var/lib/razor
razor-admin -home=/var/lib/razor -logfile=/var/log/razor-agent.log -create
razor-admin -home=/var/lib/razor -logfile=/var/log/razor-agent.log -register
echo "razorhome = /var/lib/razor" >> /var/lib/razor/razor-agent.conf && chown exim.exim -R /var/lib/razor
mkdir /var/lib/pyzor
chown root.mail /var/lib/pyzor
pyzor --homedir /var/lib/pyzor discover
chown exim /var/lib/pyzor/servers
v310file = "/etc/mail/spamassassin/v310.pre"
sed -i -e "s/^#loadplugin Mail::SpamAssassin::Plugin::DCC/loadplugin Mail::SpamAssassin::Plugin::DCC/" $v310file
Restart the relevant services:
service clamd restart
service mailscanner restart
Make sure the services start on boot:
chkconfig --level 3 clamd on
chkconfig --level 3 exim off
chkconfig --level 3 dcc-client on
chkconfig --level 3 mailscanner on
Step 3f: SSL certificates
Note
We have partnered with the SSLShop to bring you discounted SSL certificate pricing. RapidSSL CA signed certificates can be purchased at discounted pricing using the Discount coupon “BARUWA” from http://www.sslshop.co.za
The Baruwa web interface should ran over SSL/TLS, other services such as SMTP AUTH only work over SSL/TLS as well. So you need to either purchase a valid SSL certificate or generate a self signed certificate. If you have an SSL certificate that is issued by a recognised CA and install it as follows:
mkdir -p /etc/pki/baruwa/{certs,private}
Create the following files
- /etc/pki/baruwa/certs/$(hostname).pem with the contents of your SSL certificate
- /etc/pki/baruwa/private/$(hostname).key with the contents of your SSL private key
If your hostname is different from the name you use to access the web site, you need to create a certificate/key pair for that. Replace baruwa.example.com with your web hostname.
- /etc/pki/baruwa/private/baruwa.example.com.key
- /etc/pki/baruwa/certs/baruwa.example.com.pem
If your hostname is different from the the mail server hostname, then you need to create a certificate/key pair for that in the following files. Replace baruwa.example.com with your mail server hostname.
- /etc/pki/baruwa/certs/baruwa.example.com.pem
- /etc/pki/baruwa/private/baruwa.example.com.key
If you have a wildcard certificate with all your names being subdomains of that domain to which the certificate is issued then you can create symlinks to each of the names for the certificates and keys.
If you do not have a CA signed signed certificate you need to generate a self signed certificate and place the private key in /etc/pki/baruwa/private/$(hostname).key and the certificate in /etc/pki/baruwa/certs/$(hostname).pem. Create an additional certificate/key pairs if your web access name/mail server hostname are different from the server hostname.
Step 3g: Nginx
Nginx is the web server available in Baruwa Enterprise. Install it by running:
yum install nginx -y
Create the Baruwa Nginx configuration file /etc/nginx/conf.d/baruwa.conf based on the provided sample nginx.conf.
Start the Nginx service:
service nginx restart
chkconfig --level 3 nginx on
Step 4: Setup Baruwa
Step 4a: Install Baruwa
With all the requirements in place you can now install Baruwa by running the following command:
yum install baruwa -y
If you are running sphinx on the same server then install the integration package:
yum install baruwa-sphinx -y
Step 4b: Create configuration files
Create the configuration file:
paster make-config baruwa /etc/baruwa/production.ini
Set the sqlalchemy database url:
sed -i -e 's|baruwa:@127.0.0.1:5432/baruwa|baruwa:password@127.0.0.1:5432/baruwa|' \
/etc/baruwa/production.ini
Set the broker password and enable the queues:
sed -i -e 's:broker.password =:broker.password = mysecretpwd:' \
-e "s:snowy.local:$(hostname):g" \
-e 's:^#celery.queues:celery.queues:'/etc/baruwa/production.ini
Check the configuration file and ensure that the baruwa.timezone option matches the timezone configured on your server. Take time to review the other options to ensure that they are correct for your setup.
Note
Don’t use the @ and : characters in the passwords or usernames
Step 4c: Populate the database
Creation of functions written in plpythonu requires PostgreSQL admin user access. So we create them in this step using the postgres admin account:
psql -U postgres baruwa -f /usr/lib/python2.6/site-packages/baruwa/config/sql/admin-functions.sql
The creation of all database tables, addition of initial data and the creation of an admin user is taken care of via this Pylons command:
paster setup-app /etc/baruwa/production.ini
Step 4d: Create the sphinx indexes
The initial sphinx search indexes need to be created by running the command:
indexer --all --rotate
Step 4e: Start the celery daemon
Start the celeryd daemon:
service baruwa start
chkconfig --level 3 baruwa on
Step 4f: Link uwsgi configuration
Link the Baruwa configuration to the uwsgi configuration directory:
ln -s /etc/baruwa/production.ini /etc/uwsgi
service uwsgi restart
chkconfig --level 3 uwsgi on
Step 4g: Create Sudo configuration
Create a sudo file in /etc/sudoers.d as follows:
cat > /etc/sudoers.d/baruwa << 'EOF'
Defaults:baruwa !requiretty, visiblepw
baruwa ALL=(exim) NOPASSWD: /usr/sbin/exim -C /etc/exim/exim_out.conf -M *, \
/usr/sbin/exim -C /etc/exim/exim_out.conf -Mf *, \
/usr/sbin/exim -C /etc/exim/exim_out.conf -Mrm *, \
/usr/sbin/exim -C /etc/exim/exim_out.conf -Mg *, \
/usr/sbin/exim -C /etc/exim/exim_out.conf -Mar *, \
/usr/sbin/exim -C /etc/exim/exim_out.conf -qff, \
/usr/sbin/exim -Mrm *, \
/usr/sbin/exim -Mg *, \
/usr/sbin/exim -Mar *
baruwa ALL = NOPASSWD: /bin/kill -s HUP *
EOF
Step 4h: Create Cronjobs
Create the bayes expire cronjob:
cat > /etc/cron.hourly/baruwa-expire-bayes < 'EOF'
#!/bin/bash
/usr/bin/sa-learn --force-expire --sync -p /etc/MailScanner/spam.assassin.prefs.conf &>/dev/null
EOF
chmod +x /etc/cron.hourly/baruwa-expire-bayes
Create the exim queue cleanup cronjob:
cat > /etc/cron.daily/baruwa-exim4 << 'EOF'
#!/bin/bash
#
# Baruwa Enterprise Edition
# Clean up stale messages from the exim queues
#
# PERIOD in seconds
PERIOD=1209600
exiqgrep -C /etc/exim/exim_out.conf -o $PERIOD -i|xargs exim -C /etc/exim/exim_out.conf -Mrm >/dev/null 2>&1
exiqgrep -o $PERIOD -i|xargs exim -Mrm >/dev/null 2>&1
EOF
Step 5: Finalize configuration
Now that the installation and setup are complete, you need to finalize the setup by Adding a scanning Node, Add an Organization, Adding a Domain and Adding an Account.
Review the Administrators guide for other configuration and setup options available.
Step 7: Advanced options
Baruwa Enterprise Edition supports clustering, addons, additional AV engines as well as customisation using themes. If you intend on using these features read the following topics.
Step 8: Getting help
Support and assistance are available to you, refer to Support for details on how to get help.