We will soon release BaruwaOS 6.7.4, the post highlights some of the features and changes that will be introduced as part of this release.
Beginning with BaruwaOS 6.7.4 backend systems will require a PAID subscription. Existing systems installed prior to 6.7.4 being released are exempt from this requirement.
The configuration on Standalone profiles has been simplified, there are fewer screens and most of the credentials are now generated automatically.
This will reduce the human factor errors and improve security as strong credentials are now generated automatically.
The baruwa-setup utility now includes an option to refresh the system credentials that are automatically generated. To regenerate credentials run baruwa-setup with the -g option.
A new built in caching mechanism has been added that allows for replacement of the current memcached solution.
The built in cache is the default cache on new Standalone installations and can also be used on the Web and Mail System and the Web Interface System profiles.
In a clustered setup port 11211 needs to be allowed inbound to the system, this port is used by the nodes in a cluster to replicate cache data.
The memcached cache can still be used, the Enable Memcache option on the Management Other Settings screen of the baruwa-setup utility can be used to enable or disable memcached.
This option is important for enviroments where memcached errors are frequent.
A loose cluster master system has been introduced, nodes in a cluster can now elect a leader node.
The leader node is the node that performs tasks that must only be carried out by one system with in the cluster at a time like sending of reports or cleaning up the quarantine.
The cluster traffic used to elect the leader node is sent on port 3542, this port needs to be allowed on firewalls between the nodes in both directions.
The cluster leader elections only take place on Web and Mail System nodes.
The other systems use a distributed locking system to ensure that tasks are executed by only one server in a cluster.
The data import system has been overhauled. The previous system was unable to import all the data required to setup fully functional systems.
The new system uses the YAML format to import organizations, relay settings, domain administrators, domains, domain aliases, delivery servers, authentication servers and user accounts.
It is also possible to import just domains or accounts into an existing organization or domain respectively.
The old system that used CSV files has been removed.
The data export system has been overhauled. The previous system was unable to export all the setup data.
The new system exports data in the YAML format and includes almost all the configuration data on the system.
Organizations can be exported and will include all the data within the organization which includes relay settings, domain administrators, domains, domain aliases, delivery servers, authentication servers, lists, signatures, dkim settings and user accounts.
It is also possible to export domains and accounts with the data contained in those containers.
Passwords are not part of the data export. The password entries will be blank in any export.
The old system that exported data to CSV files has been removed.
On Standalone and Web and Mail System profiles, scheduled tasks are now run using the uWSGI system not the traditional cron system.
This integrates with the Cluster Master system to ensure that tasks are run by only one node in a cluster.
On Standalone and Web and Mail System profiles backend tasks are now run using the uWSGI system, the standalone Baruwa service is no longer required or installed.
On Mail System profiles which do not run the uWSGI system a baruwa-service package is installed this provides the standalone Baruwa service.
It is now possible to encrypt all traffic between backend and front end nodes and between the backend nodes themselves.
The Encrypt all backend traffic option works by installing a TLS tunneling service which will encrypt connections from the source and decrypt them at the destination for the specific application streams.
The Encrypt all backend traffic option can also be used on LAN to thwart capturing of data by sniffing of packets on a LAN.
The authentication of certificates takes place using certificate pinning, this means you have to copy the servers certificate to the client.
On the client side the certificates need to be stored in /etc/pki/baruwa/certs/_IPADDRESS_.pem where _IPADDRESS_ is the IP address of the server configured in the baruwa-setup utility
The Encrypt all backend traffic option must be configured on all systems in the cluster both front end and backend for the cluster to function correctly.
Previously only strong ciphers were allowed on all SMTP connections, to allow for increased interoperability with other systems this has been changed to normal ciphers on port 25.
Please refer to SMTP Authentication for the impact of this change.
This release supports more additional Anti Virus Engines in addition to the built in ClamAV engine.
SNMP monitoring is now supported.
The HTTP service now supports the Proxy Protocol, meaning Baruwa web services can now be placed behind load balancers that support the Proxy Protocol such as HAProxy and Amazon ELB. The proxy protocol makes the actual client IP address visible to the Baruwa service instead of having all requests appear like they came from the load balancer.
The SMTP service already supports the Proxy Protocol.
The HTTP service now supports the option to log to syslog. Using syslog the logs can be aggregated and processed.
The SMTP service already supports logging to syslog.
Added support for get domain by name
The following additional ports are now used.
|11211||UDP||BETWEEN NODES||CACHE SYNC TRAFFIC|
|3542||UDP||BETWEEN NODES||CLUSTER TRAFFIC|
SMTP Authentication on port 25 is no longer supported due to the SMTP TLS Ciphers change. SMTP AUTH is now only offered on ports 465 and 587 which still require strong ciphers.
Relay settings configurations that use port 25 will need to be updated.
The Puppet configuration management system has been removed from BaruwaOS. The only supported configuration engine is now Salt.
It is still possible to import puppet manifests as part of the upgrade.
On Standalone profiles memcached has been depreciated, the Built in Cache system is now the default.
Messages that fail DKIM checks will no longer be blocked at SMTP time.
Importing of domains and accounts from CSV files is no longer supported. The CSV system has been replaced by the YAML Imports system.
Exporting of domains and accounts to CSV files is no longer supported. The CSV system has been replaced by the YAML Exports system.