Technical Faqs
Answers to many common technical questions.
How do i request a new feature ?
Answer: Use the issue tracker
Open a feature request on the issue tracker
How do i report a non security bug ?
Answer: Use the issue tracker
Open a bug report on the issue tracker
How do i report a security bug ?
Answer: Email security@baruwa.com
If you think you’ve found a security vulnerability with Baruwa, please send a message to security@baruwa.com. Do NOT post a bug report to our issue tracking system or disclose the issue on our mailing lists.
How do i disable TLS 1.0 on SMTP port 587 and 465 ?
To disable TLS 1.0 for SMTP ports 587 and 465 you need to run the following commands:
GNUTLS_CIPHERS="SECURE256:+SECURE128:-VERS-SSL3.0:-VERS-TLS1.0:-MD5:-ARCFOUR-128:-ARCFOUR-40:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC:%SERVER_PRECEDENCE"
echo "GNUTLS_CIPHERS == ${GNUTLS_CIPHERS}" >> /etc/exim/macros.conf.local
service mailscanner restart
How do i tailor Baruwa Enterprise Edition to my specific needs ?
Refer to the Customization section.
Can i manage Baruwa Enterprise Edition servers without using baruwa-setup ?
Answer: Yes
Yes you can, you can choose to do the configuration manually or using a configuration management too. SaltStack can be used easily as we provide salt states which are used by baruwa-setup in the background. You could also convert this states to a different configuration management tool.
How do i rebrand Baruwa Enterprise Edition servers ?
Refer to the Themes section, note that if you would like to remove the powered by notices you need to purchase a branding license.
What happens if i remove/hide/obscure the copyright notices without a license ?
That is a violation of the terms and we will revoke your subscription without a refund of any sums paid.
Where can i download rpm or deb packages to install on my system ?
We no longer provide packages, the solution is now packaged as a custom OS.
What are the settings i should use to configure LDAP/AD ?
The short answer is if you are asking, you probably should not be using LDAP/AD as you could inadvertently open yourself up to security holes.
The long answer is all LDAP directories are not setup in the same way, so there is no one size fits all configuration we can provide.
It is advisable you create an account with very limited privileges in the directory to use for the LDAP operations and bind as that account.
The following are common configurations that you could attempt.
| Setting | Description | Active Directory | OpenLDAP |
| Base DN | The location within the directory to start searching | dc=domain,dc=com | dc=domain,dc=com |
| Username Attribute | The directory attribute in which the username is stored | samAccountName, userPrincipalName | uid |
| Email attribute | The directory attribute in which the email address is stored | ||
| Bind DN | The DN to bind as to perform operations | cn=Administrator,cn=users,dc=domain,dc=com, Administrator@domain.com | cn=root,dc=domain,dc=com |
| Bind password | The password for the Bind DN | ||
| Use TLS | Use the STARTTLS option | ||
| Search for userDN | Search for the userDN to bind to | Yes in most cases | No in most cases |
| Email Search Filter | The filter used to locate email addresses in an entry | (|(proxyAddresses=SMTP:%u@%d) (proxyAddress=smtp:%u@%d)(mail=%u@%d)) | mail=%u@%d |
The web interface is slow, what could cause this ?
The web inferface may slow down due to a range of issues:
- Insufficient system resources
- Insufficient network capacity
- Incorrectly configured IPv6 network
Insufficient system resources
Check our system and ensure you have enough system resources to handle the amount of web and smtp traffic your system processes.
Insufficient network capacity
Check your network capacity and ensure it is sufficient to handle the amount of network traffic inbound and outbound from your system.
Incorrectly configured IPv6 network
Due to the fact that IPv6 is not widely deployed most networks do not handle IPv6 traffic as well as they do with IPv4.
Disabling IPv6 on your non loopback interfaces can improve the web interface performance by large margins.
You can disable IPv6 on a non loopback interface by setting the
variable IPV6INIT in the the interface configuration file under
/etc/sysconfig/network-scripts/ to no and then restarting
the network service.
Note
Do not disable IPv6 globally or on the loopback interface lo
as that is required for message queue service.
Which MTA does Baruwa Enterprise use ?
Answer: Exim
Baruwa Enterprise uses a customized version of the Exim MTA
SMTP AUTH on port 25 no longer works, why ?
SMTP AUTH is no longer offered on port 25 starting with BaruwaOS 6.7.4. The reason for this is documented in the release notes at SMTP Authentication
How do i allow attachments blocked by content protection through ?
You can clone the default built in content protection ruleset and then you can disable or alter the rule that is blocking the file. You can then either assign your new custom ruleset to either the domain in question or globally if you want the change across the system.
More information on what content protection is and how to manage it is available in the following sections of the documentation
- Content Protection Overview
- Content Protection Configuration
How do i create a content protection policy for a sender ?
The content protection policies that are managed via the web interface can be assigned to domains or globally. This means that the policy will apply to all senders to the recipient domain in case of assignment to a domain or all senders to all domains in case of global assignment.
To set a granualer content protection policy you need to use the customization system which requires manual setup via the command line.
Create a policy from a sender to all recipients
To setup a content protection policy for a sender you need to follow the process below.
The example below uses sender@senderdomain.com as the sender we are configuring
the policy for, change this to your specific sender. Wildcards "*" can be used as
well for example *@senderdomain.com.
Login to your server and go to Settings -> Content protection -> File policies.
Click clone policy -> change policy name to
sender-name-policyor a name of your choice -> Clone policyClick actions (
sender-name-policy) check enabled -> Update policyMake the changes you want to the specific rules you want to disable or add new rules you want to include
SSH into the server as root user
Create the file /etc/MailScanner/baruwa/rules/filename.rules.local with the following contents:
From: sender@senderdomain.com /etc/MailScanner/baruwa/rules/sender-name-policy-policy.conf
Run the command
paster update-rulesetsto merge your rulesRestart the scanner process
service mailscanner restartRun
baruwa-logsto check for rule errors.
Create a policy from a sender to a specific recipient
To setup a content protection policy from a sender to a specific recipient, you need to follow the process below.
The example below uses sender@senderdomain.com as the sender and recipient@recipientdomain.com
as the recipient. Change these for your specific use case. Wildcards "*" are supported
for example *@senderdomain.com or *@recipientdomain.com
Login to your server and go to Settings -> Content protection -> File policies.
Click clone policy -> change policy name to
sender-to-recipient-name-policyor a name of your choice -> Clone policyClick actions (
sender-to-recipient-name-policy) check enabled -> Update policyMake the changes you want to the specific rules you want to disable or add new rules you want to include
SSH into the server as root user
Create the file /etc/MailScanner/baruwa/rules/filename.rules.local with the following contents:
From: sender@senderdomain.com and To: recipient@recipientdomain.com /etc/MailScanner/baruwa/rules/sender-to-recipient-name-policy.conf
Run the command
paster update-rulesetsto merge your rulesRestart the scanner process
service mailscanner restartRun
baruwa-logsto check for rule errors.
How do i disable phishing checks for recipient ?
Warning
We strongly recommend that you do NOT disable phishing checks.
Phishing checks prevent your users from being tricked in to clicking illegitimate links that are masquerading as the real thing. Phishing can be used to steal confidential information such as banking details or infect a user with malware.
If you choose to ignore all the warnings above and proceed you can follow the processes below.
To disable phishing you need to use the customization system which requires manual setup via the command line.
SSH into the server as root user
Create the ruleset file
/etc/MailScanner/rules/phishing.checks.ruleswith the following contents:# Default rule do not remove, add rules above this FromOrTo: default yes
Set the correct permissions on the file as follows:
chmod 0644 /etc/MailScanner/rules/phishing.checks.rules chown root.root /etc/MailScanner/rules/phishing.checks.rules
Update the Scanner configuration to use the ruleset file:
egrep "Find Phishing Fraud\s+=\s+yes" /etc/MailScanner/MailScanner.conf >/dev/null && { sed -i -e "s/Find Phishing Fraud\s\+=\s\+yes/Find Phishing Fraud = %rules-dir%\/phishing.checks.rules/" /etc/MailScanner/MailScanner.conf }
You can now proceed to either How do i disable phishing checks for a recipient domain ? or How do i disable phishing checks for a recipient email address ?
How do i disable phishing checks for a recipient domain ?
This example uses example.com as the recipient domain for which phishing checks are
being disabled.
Complete the process described in How do i disable phishing checks for recipient ?
SSH into the server as root user
Edit the ruleset file
/etc/MailScanner/rules/phishing.checks.rulesand add the following above the# Default rule do not remove, add rules above thiscomment:To: *@example.com no
Reload the scanner service
service mailscanner reloadRun
baruwa-logsto check for rule errors.
How do i disable phishing checks for a recipient email address ?
This example uses user@example.com as the email address for which phishing checks
are being disabled.
Complete the process described in How do i disable phishing checks for recipient ?
SSH into the server as root user
Edit the file
/etc/MailScanner/rules/phishing.checks.rulesand add the following above the# Default rule do not remove, add rules above thiscomment:To: user@example.com no
Reload the scanner service
service mailscanner reloadRun
baruwa-logsto check for rule errors.
How do i add a default delivery server ?
In Baruwa default delivery servers are called Fallback servers and they can be added to an Organization. Any domain in the Organization which does not have a delivery server configured will use the Fallback servers configured for that organization.
Refer to Fallback servers for more info.
How do i uninstall Baruwa Enterprise Edition ?
Baruwa Enterprise Edition is an operating system not an application, to remove it from your computer system you need to reformat the hard drive and install a different operating system.
How do i remove Baruwa ?
How do i disable a ClamAV signature ?
You can disable ClamAV signatures by adding them to the local.ign2 file on your server. This file is located in your ClamAV signatures directory /var/lib/clamav.
By default the file does not exist so you will have to create it the first time you add a signature.
To disable the signature Win.Exploit.CVE_2019_0903-6966169-0 for example you can run the following:
cat >> /var/lib/clamav/local.ign2 << 'EOF'
Win.Exploit.CVE_2019_0903-6966169-0
EOF
chmod 0644 /var/lib/clamav/local.ign2
chown clam.clam /var/lib/clamav/local.ign2
service clamd reload
My messages match ClamAV signature Heuristics.OLE2.ContainsMacros, how do i allow them through ?
The message contains an attachment that contains macros and you have configured the system to block documents with macros. You can disable blocking of documents containing macros for users, domains or outbound relay clients.
Baruwa is rejecting messages at SMTP time but i would like the messages available in the interface
To prevent messages from being rejected at SMTP time, you need to turn off the
Enable SMTP Time Rejection option in baruwa-setup.
I want all messages logged regardless of status, what do i do ?
You need to turn off the Enable SMTP Time Rejection option in baruwa-setup.
How do i recover the rabbitmq cluster after a power failure takes down all nodes ?
It is recommended that backend cluster members are located in different locations to prevent power failures taking down the whole cluster. How ever due to various reasons some users do not implement their clusters this way.
In cases where all cluster members go down without proper shutdown such as in event of a power failure the rabbitmq service does not startup when the cluster is brought up.
To get the cluster to startup you need to run the following command on one of the cluster members preferably the bootstrap server.:
rabbitmqctl force_boot
service rabbitmq-server start
Once you have confirmed that this server is up and running you can then start up the other servers.
How do i sync a database cluster member that has fallen behind ?
In most cases members of a cluster that have short downtime periods automatically catch up when brought back up. But in cases with high database traffic this may not be the case.
The easiest way to get the member back up and running is to reinit it as follows.:
service patroni stop
rm -rvf /var/lib/pgsql/10/data/*
service patroni start
The server will copy all the required data from the current master and join the cluster.
You can then confirm that there is no more lag using the patronictl list command.
How do i enable remote technical support access ?
We use SSH Keys to access your system, need to install our ssh key below to the authorized_keys
file of the account you want us to access. We require access to accounts with root privileges
either as root directly or via an account with sudo access to root.
You can restrict access on your firewall to our remote support system: support.baruwa.com
(84.200.48.209)
SSH KEY
# == start key
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC86+4YcvrDXdBFkrxtQnNGNXJ8ccqcbecs//qw8B/ltwLvLL0VXeS0m1dimlzw4gXz4U4q+ZxFBzMPJgje5JnFFa75PaYDTwJ/ZQeE/j85uEVJB4WFXFbqMbFUBYFP13y3HLVQ/eaX+OdPnRlyJU03pwgPo9kSnaO4x7aJyM9WiFLSQW/WB6n7nJtHqLXAqYrpjLL3ivR9icr04Zmql6+wU3fWRAWr4Mu4UcKh5ko4SsZk+DzbhSUnQ8IuCzOU39j3tx2Xbvm0rRCYZjje0jrjPiX88Dpk2C3CWBTU8tawssEZ7g1zc0a0wUGeBiTYKlXGSpy5hCNK725mQtvxeAZ/fbN87CFdC1UWyxExVSgiKJJu8Fmmp95QJGRfb+dmBGLcfsakaBvPtE2IE50uiMpb/iziTYr9hhJuXtnn8lJFlNGlxDurjvKj6BZ/wbmupYe4mkMt/JJFzgD9ZLsM1/ph66a8u1U0pz1cd/tZUsMrjQ5E5cKd4VPX+9DMgZugzXU0HA0CrsAm4eU7ukNbhA3u1MR12NYO4v+ytS/VtWWMBninlHABlE5A34E0FSUU9lNdSAG9k7diiX096m4WOPtahTec9QML7AZ7CXVA0FlRSEbMREiUFKEPpb5YP0owAkAsdmFKCmfG4FbBs8tCRouY/pcdi4GjgudLxN8QRiqKUQ== enterprise-support@support.baruwa.com
# == end key
How do i get a Maxmind Account ID and License Key ?
As of 30th Dec 2019 Maxmind requires an Account ID and a License Key to access the free GeoIP databases. Please refer to this post on their blog.
How do i fix geoipupdate error “Your account ID or license key is invalid” ?
Update your system, then set the Maxmind Account ID and License Key settings in baruwa-setup.
How do i fix baruwa-setup error “Service searchd is already enabled, and is dead” ?
Check the manticore log file /var/log/manticore/searchd.log. If you find the following error FATAL: invalid meta file /var/lib/manticore/binlog.meta, you need to remove the bin logs and restart the service as follows:
rm -vf /var/lib/manticore/binlog.*
service searchd start
You can then run baruwa-setup again and it should complete successfully.
How do i fix baruwa-setup error “augeas.change[baruwa-update-maxminddb-conf] failed => Error: Unable to save to file!” ?
That error is caused by missing/unset MaxMind Settings.
In a cluster you need to run baruwa-setup without options and set the backend MaxMind Settings or the database MaxMind Settings. On successfully completion of the baruwa-setup command you need to rerun it on the other cluster members to allow them to pick up the MaxMind Settings from the backend.
On a standalone system you need to run baruwa-setup without options and set the MaxMind Settings.