Manual Installation

Step 1: Installation requirements

You need a valid Baruwa enterprise subscription, which provides you with a server entitlement as well as an activation key to activate the entitlement.

Enable the EPEL repository

The EPEL repository is a volunteer-based community effort from the Fedora project to create a repository of high-quality add-on packages for Red Hat Enterprise (RHEL) and its compatible spinoffs such as CentOS, Oracle Enterprise Linux or Scientific Linux. You can find more details on EPEL including how to add it to your host at http://fedoraproject.org/wiki/EPEL and http://fedoraproject.org/wiki/EPEL/FAQ#howtouse.

You need to enable this repo in order to access required packages:

rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

Install Spacewalk client packages

Baruwa Enterprise Edition entitlements are managed by the Baruwa Network. The Baruwa Network uses the Spacewalk server to manage entitlements. In order to access the Baruwa Enterprise Edition repository you need to install the Spacewalk client tools. These tools are provided by the Spacewalk project via a yum repository which you need to enable:

rpm -Uvh http://yum.spacewalkproject.org/1.9/RHEL/6/x86_64/spacewalk-client-repo-1.9-1.el6.noarch.rpm

Having enabled the Spacewalk repository you can now install the Spacewalk client packages:

yum install rhn-client-tools rhn-check rhn-setup rhnsd m2crypto yum-rhn-plugin -y

Install Baruwa signing keys

The packages in the Baruwa Centos/RHEL/SL enterprise repository are cryptographically signed using GPG keys. The package containing these GPG keys needs to be manually installed before continuing to the next step:

rpm -Uvh https://www.baruwa.com/downloads/baruwa-enterprise-release-6-2.noarch.rpm
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-BARUWA-ENTERPRISE-6

Activate Entitlement

The Baruwa Centos/RHEL/SL enterprise repository is available to subscribers only. To install from this repo you need to activate the entitlement for the server that you are installing.

The server entitlement activation key is emailed to you when you purchase a subscription. Use the activation key to register your server with the Baruwa Network using the command below:

rhnreg_ks --serverUrl=https://bn.baruwa.com/XMLRPC --activationkey=<activation-key>

Install Caching DNS server

You need to use a local caching DNS server to improve the performance of various checks:

yum install bind
chkconfig --level 3 named on
service named start

Then make sure that the system uses this DNS server:

cat > /etc/resolv.conf << 'EOF'
nameserver 127.0.0.1
EOF

Note

Do NOT use public DNS servers such as Google DNS, OpenDNS or your ISP’s servers if you do, your DNSBL checks will get the a _BLOCKED response http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information.

Step 2: Upgrade all existing packages

Install any available system updates:

yum upgrade -y

Step 3: Install and configure supporting packages

Step 3a: PostgreSQL

This is the database backend used by Baruwa to store data. You only have to install the server if you are going to run the database on the system system as Baruwa:

yum install postgresql-server postgresql-plpython -y

We now need to set a password on the postgresql postgres admin account, we use the password strongPgP4ss change this for your environment.:

chown postgres.postgres /var/lib/pgsql
echo "strongPgP4ss" > /tmp/ps
su postgres -c "/usr/bin/initdb /var/lib/pgsql/data --auth='password' --pwfile=/tmp/ps -E UTF8"
rm -rf /tmp/ps

You now need to configure the authentication settings on your postgresql server, edit your pg_hba.conf file and change the entries to the following:

cat > /var/lib/pgsql/data/pg_hba.conf << 'EOF'
# TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD
local   all         all                               md5
host    all         all         127.0.0.1/32          md5
host    all         all         ::1/128               md5
EOF

Configure the server to use the UTC timezone as the default timezone:

sed -e "s/^#timezone = \(.*\)$/timezone = 'UTC'/" -i /var/lib/pgsql/data/postgresql.conf

Restart the service for the configuration changes to take effect:

service postgresql restart

With the server now started you can proceed to configuration. Here we will create a Baruwa postgresql database user account as well as a database to store Baruwa data.

We’re going to assume that the database is called baruwa, the postgresql user is called baruwa, and the password is password.

Create the Baruwa database user:

psql -Upostgres postgres -c "CREATE ROLE baruwa WITH LOGIN PASSWORD 'password';"

Create the database:

createdb -U postgres -E UTF8 -O baruwa -T template1 baruwa

Baruwa uses functions written in the plpgsql and plpythonu procedural languages. Enable these languages in the db:

psql -U postgres baruwa -c "CREATE LANGUAGE plpgsql;"
psql -U postgres baruwa -c "CREATE LANGUAGE plpythonu;"

We’re going to assume that the Bayes user is called bayes, and the password is password.

Create the Bayes database user:

psql -Upostgres postgres -c "CREATE ROLE bayes WITH LOGIN PASSWORD 'password';"

Create the SQL Auto Whitelisting Tables:

cat > /tmp/awl.sql << 'EOF'
CREATE TABLE awl (
  username varchar(100) NOT NULL default '',
  email varchar(255) NOT NULL default '',
  ip varchar(40) NOT NULL default '',
  count bigint NOT NULL default '0',
  totscore float NOT NULL default '0',
  signedby varchar(255) NOT NULL default '',
  timestamp timestamp with time zone default timezone('utc'::text, now()),
  PRIMARY KEY (username,email,signedby,ip)
);
SQL
psql -Ubaruwa baruwa -f /tmp/awl.sql
rm -f /tmp/awl.sql

Create the SQL Bayes tables, using the Bayes SQL dump provided, Paste the contents into /tmp/bayes.sql then run the following commands:

psql -Ubaruwa baruwa -f /tmp/bayes.sql
rm -f /tmp/bayes.sql

Grant the bayes user access to the bayes tables:

cat > /tmp/grants.sql << 'EOF'
GRANT SELECT, UPDATE, DELETE, INSERT ON TABLE bayes_token TO bayes;
GRANT SELECT, UPDATE, DELETE, INSERT ON TABLE bayes_vars TO bayes;
GRANT SELECT, DELETE, INSERT ON TABLE bayes_seen TO bayes;
GRANT SELECT, DELETE, INSERT ON TABLE bayes_expire TO bayes;
GRANT SELECT ON TABLE bayes_global_vars TO bayes;
GRANT UPDATE, SELECT, INSERT ON bayes_vars_id_seq TO bayes;
GRANT SELECT, UPDATE, DELETE, INSERT ON TABLE awl TO bayes;
EOF
psql -Upostgres baruwa -f /tmp/grants.sql
rm -f /tmp/grants.sql

Step 3b: RabbitMQ

The RabbitMQ server is used as the message broker to handle the processing on backend tasks such as releasing messages, reading queues and providing host status information.

Run the following commands to install and start RabbitMQ on your system.:

yum install rabbitmq-server -y
service rabbitmq-server start

Now create a virtual host and a RabbitMQ user to be used by Baruwa.

We’re going to assume that the virtual host is called baruwa, the RabbitMQ user is called baruwa, and the password is mysecretpwd.

Create the user account, the virtual host and give the user permissions on the virtual host:

rabbitmqctl add_user baruwa mysecretpwd
rabbitmqctl add_vhost baruwa
rabbitmqctl set_permissions -p baruwa baruwa ".*" ".*" ".*"

Remove the guest user:

rabbitmqctl delete_user guest

Step 3c: Sphinx

The Sphinx search server provides fast indexed search results to queries submitted via Baruwa.

Run the following commands to install and start sphinx on your system:

yum install sphinx

Create a /etc/sphinx/sphinx.conf using the provided sample sphinx.conf

Set the required database settings:

sed -i -e 's:sql_host =:sql_host = 127.0.0.1:' \
        -e 's:sql_user =:sql_user = baruwa:' \
        -e 's:sql_pass =:sql_pass = password:' \
        -e 's:sql_db =:sql_db = baruwa:' /etc/sphinx/sphinx.conf

Start the Sphinx server:

service searchd restart
chkconfig --level 3 searchd on

Step 3d: Memcached

Memcached is used to cache data and alleviate the load on the database backend as well as store sessions:

yum install memcached -y
service memcached start
chkconfig --level 3 memcached on

Step 3e: MailScanner

MailScanner is the integrated engine that performs the various checks used to identify and classify spam and various threats.

Baruwa manages the MailScanner configuration by storing the configurations in the PostgreSQL Database. MailScanner signatures can also be managed using Baruwa for both domains and individual users.

Install MailScanner:

yum install mailscanner clamd clamav clamav-unofficial-sigs -y

Create the following configuration files based on the samples provided.

Add the ClamAV user to the exim group:

usermod -G exim clamav

Create the exim spool directories and settings files:

touch /etc/exim4/{non-tls-hosts,remove-headers,blocked-subjects,skip_dnsbl,skip_dkim,skip_av_checks,allow_empty_replyto}
mkdir -p /var/spool/exim4.in/{db,input,msglog,scan}
chown -R exim.exim /var/spool/exim4.in
chmod 0750 -R /var/spool/exim4.in

Create the file command wrapper /usr/local/bin/file-wrapper:

cat > /usr/local/bin/file-wrapper << 'EOF'
#!/bin/bash
#
# Wrap the file command
/usr/bin/file -i "$1"
EOF
chmod +x /usr/local/bin/file-wrapper

Update the Spamassassin local configuration:

rm -f /etc/mail/spamassassin/local.cf
ln -s /etc/MailScanner/spam.assassin.prefs.conf /etc/mail/spamassassin/local.cf

Install extra Spamassassin plugins:

yum install spamassassin-plugin-iXhash spamassassin-plugin-decodeshorturls -y

Create the KAM cronjob, using the KAM.cron provided, Paste the contents into /etc/cron.daily/kam and then make it executable:

chmod +x /etc/cron.daily/kam

Enable Spamassassin rulesets updates:

sa-update --import /etc/mail/spamassassin/channel.d/sought.conf
sa-update --import /etc/mail/spamassassin/channel.d/spamassassin-official.conf
cat > /etc/sysconfig/update_spamassassin << 'EOF'
SAUPDATEARGS="-D --gpgkey 6C6191E3 --channel sought.rules.yerp.org --channel updates.spamassassin.org"
EOF

Enable required Spamassassin plugins:

yum install perl-IP-Country re2c gcc make -y
v310file = "/etc/mail/spamassassin/v310.pre"
v320file = "/etc/mail/spamassassin/v320.pre"
initfile = "/etc/mail/spamassassin/init.pre"
sed -i -e "s/^#loadplugin Mail::SpamAssassin::Plugin::AWL/loadplugin Mail::SpamAssassin::Plugin::AWL/" $v310file
sed -i -e "s/^# loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody/loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody/" $v320file
sed -i -e "s/^# loadplugin Mail::SpamAssassin::Plugin::Shortcircuit/loadplugin Mail::SpamAssassin::Plugin::Shortcircuit/" $v320file
sed -i -e "s/# loadplugin Mail::SpamAssassin::Plugin::RelayCountry/loadplugin Mail::SpamAssassin::Plugin::RelayCountry/" $initfile

Install Spamassassin addons:

yum install perl-Razor-Agent pyzor dcc-client
mkdir /var/lib/razor
razor-admin -home=/var/lib/razor -logfile=/var/log/razor-agent.log -create
razor-admin -home=/var/lib/razor -logfile=/var/log/razor-agent.log -register
echo "razorhome = /var/lib/razor" >> /var/lib/razor/razor-agent.conf && chown exim.exim -R /var/lib/razor
mkdir /var/lib/pyzor
chown root.mail /var/lib/pyzor
pyzor --homedir /var/lib/pyzor discover
chown exim /var/lib/pyzor/servers
v310file = "/etc/mail/spamassassin/v310.pre"
sed -i -e "s/^#loadplugin Mail::SpamAssassin::Plugin::DCC/loadplugin Mail::SpamAssassin::Plugin::DCC/" $v310file

Restart the relevant services:

service clamd restart
service mailscanner restart

Make sure the services start on boot:

chkconfig --level 3 clamd on
chkconfig --level 3 exim off
chkconfig --level 3 dcc-client on
chkconfig --level 3 mailscanner on

Step 3f: SSL certificates

Note

We have partnered with the SSLShop to bring you discounted SSL certificate pricing. RapidSSL CA signed certificates can be purchased at discounted pricing using the Discount coupon “BARUWA” from http://www.sslshop.co.za

The Baruwa web interface should ran over SSL/TLS, other services such as SMTP AUTH only work over SSL/TLS as well. So you need to either purchase a valid SSL certificate or generate a self signed certificate. If you have an SSL certificate that is issued by a recognised CA and install it as follows:

mkdir -p /etc/pki/baruwa/{certs,private}

Create the following files

  • /etc/pki/baruwa/certs/$(hostname).pem with the contents of your SSL certificate
  • /etc/pki/baruwa/private/$(hostname).key with the contents of your SSL private key

If your hostname is different from the name you use to access the web site, you need to create a certificate/key pair for that. Replace baruwa.example.com with your web hostname.

  • /etc/pki/baruwa/private/baruwa.example.com.key
  • /etc/pki/baruwa/certs/baruwa.example.com.pem

If your hostname is different from the the mail server hostname, then you need to create a certificate/key pair for that in the following files. Replace baruwa.example.com with your mail server hostname.

  • /etc/pki/baruwa/certs/baruwa.example.com.pem
  • /etc/pki/baruwa/private/baruwa.example.com.key

If you have a wildcard certificate with all your names being subdomains of that domain to which the certificate is issued then you can create symlinks to each of the names for the certificates and keys.

If you do not have a CA signed signed certificate you need to generate a self signed certificate and place the private key in /etc/pki/baruwa/private/$(hostname).key and the certificate in /etc/pki/baruwa/certs/$(hostname).pem. Create an additional certificate/key pairs if your web access name/mail server hostname are different from the server hostname.

Step 3g: Nginx

Nginx is the web server available in Baruwa Enterprise. Install it by running:

yum install nginx -y

Create the Baruwa Nginx configuration file /etc/nginx/conf.d/baruwa.conf based on the provided sample nginx.conf.

Start the Nginx service:

service nginx restart
chkconfig --level 3 nginx on

Step 4: Setup Baruwa

Step 4a: Install Baruwa

With all the requirements in place you can now install Baruwa by running the following command:

yum install baruwa -y

If you are running sphinx on the same server then install the integration package:

yum install baruwa-sphinx -y

Step 4b: Create configuration files

Create the configuration file:

paster make-config baruwa /etc/baruwa/production.ini

Set the sqlalchemy database url:

sed -i -e 's|baruwa:@127.0.0.1:5432/baruwa|baruwa:password@127.0.0.1:5432/baruwa|' \
        /etc/baruwa/production.ini

Set the broker password and enable the queues:

sed -i -e 's:broker.password =:broker.password = mysecretpwd:' \
        -e "s:snowy.local:$(hostname):g" \
        -e 's:^#celery.queues:celery.queues:'/etc/baruwa/production.ini

Check the configuration file and ensure that the baruwa.timezone option matches the timezone configured on your server. Take time to review the other options to ensure that they are correct for your setup.

Note

Don’t use the @ and : characters in the passwords or usernames

Step 4c: Populate the database

Creation of functions written in plpythonu requires PostgreSQL admin user access. So we create them in this step using the postgres admin account:

psql -U postgres baruwa -f /usr/lib/python2.6/site-packages/baruwa/config/sql/admin-functions.sql

The creation of all database tables, addition of initial data and the creation of an admin user is taken care of via this Pylons command:

paster setup-app /etc/baruwa/production.ini

Step 4d: Create the sphinx indexes

The initial sphinx search indexes need to be created by running the command:

indexer --all --rotate

Step 4e: Start the celery daemon

Start the celeryd daemon:

service baruwa start
chkconfig --level 3 baruwa on

Step 4g: Create Sudo configuration

Create a sudo file in /etc/sudoers.d as follows:

cat > /etc/sudoers.d/baruwa << 'EOF'
Defaults:baruwa   !requiretty, visiblepw

baruwa ALL=(exim) NOPASSWD: /usr/sbin/exim -C /etc/exim/exim_out.conf -M *, \
        /usr/sbin/exim -C /etc/exim/exim_out.conf -Mf *, \
        /usr/sbin/exim -C /etc/exim/exim_out.conf -Mrm *, \
        /usr/sbin/exim -C /etc/exim/exim_out.conf -Mg *, \
        /usr/sbin/exim -C /etc/exim/exim_out.conf -Mar *, \
        /usr/sbin/exim -C /etc/exim/exim_out.conf -qff, \
                /usr/sbin/exim -Mrm *, \
                /usr/sbin/exim -Mg *, \
                /usr/sbin/exim -Mar *

baruwa ALL = NOPASSWD: /bin/kill -s HUP *
EOF

Step 4h: Create Cronjobs

Create the bayes expire cronjob:

cat > /etc/cron.hourly/baruwa-expire-bayes < 'EOF'
#!/bin/bash
/usr/bin/sa-learn --force-expire --sync -p /etc/MailScanner/spam.assassin.prefs.conf &>/dev/null
EOF
chmod +x /etc/cron.hourly/baruwa-expire-bayes

Create the exim queue cleanup cronjob:

cat > /etc/cron.daily/baruwa-exim4 << 'EOF'
#!/bin/bash
#
# Baruwa Enterprise Edition
# Clean up stale messages from the exim queues
#
# PERIOD in seconds
PERIOD=1209600
exiqgrep -C /etc/exim/exim_out.conf -o $PERIOD -i|xargs exim -C /etc/exim/exim_out.conf -Mrm >/dev/null 2>&1
exiqgrep -o $PERIOD -i|xargs exim -Mrm >/dev/null 2>&1
EOF

Step 5: Finalize configuration

Now that the installation and setup are complete, you need to finalize the setup by Adding a scanning Node, Add an Organization, Adding a Domain and Adding an Account.

Review the Administrators guide for other configuration and setup options available.

Step 7: Advanced options

Baruwa Enterprise Edition supports clustering, addons, additional AV engines as well as customisation using themes. If you intend on using these features read the following topics.

Step 8: Getting help

Support and assistance are available to you, refer to Support for details on how to get help.