Baruwa Documentation Release 1.1.2

Andrew Colin Kissa

June 27, 2016

Contents

1 Introduction 3

2 Features 5

3 Screenshots 7

4 Requirements 9 4.1 Baruwa requirements...... 9 4.2 MailScanner requirements...... 9

5 Source Installation 11 5.1 Install Baruwa...... 11 5.2 Configure RabbitMQ...... 12 5.3 Configure Baruwa...... 12 5.4 Configure MailScanner...... 14 5.5 Testing...... 15 5.6 Need help...... 16 5.7 Distribution / OS installation...... 16

6 Baruwa on RHEL/SL/Centos 17 6.1 Install EPEL...... 17 6.2 Baruwa installation...... 17 6.3 Configure RabbitMQ...... 17 6.4 Configure Baruwa...... 18 6.5 Configure MailScanner...... 19 6.6 Testing...... 20 6.7 Need help...... 20

7 Baruwa on Fedora 21 7.1 Baruwa Installation...... 21 7.2 Configure RabbitMQ...... 21 7.3 Configure Baruwa...... 22 7.4 Configure MailScanner...... 23 7.5 Testing...... 24 7.6 Need help...... 24

8 Baruwa on Ubuntu/Debian 25 8.1 Install & Configure RabbitMQ...... 25 8.2 Configure RabbitMQ...... 25 8.3 Baruwa Apt install...... 25 8.4 Automated configuration...... 26 8.5 Configure MailScanner...... 26 8.6 Configure Baruwa...... 27

i 8.7 Testing...... 27 8.8 Need help...... 28

9 External authentication 29 9.1 SMTP, POP3, IMAP and RADIUS/RSA SECURID...... 29 9.2 ACTIVE DIRECTORY...... 29 9.3 LDAP...... 30

10 MTA Integration 31 10.1 Postﬁx...... 31 10.2 Exim...... 32

11 Clustered setups 33

12 Other batteries included 35 12.1 Command options and help...... 35 12.2 Quarantine management...... 35 12.3 Quarantine reports...... 35 12.4 Database maintenance...... 35 12.5 Spamassassin rule description updates...... 35 12.6 PDF reports...... 36 12.7 Mailq Stats updates...... 36 12.8 Email Signatures conﬁguration...... 36

13 Getting Help 37 13.1 How do I do X? Why doesn’t Y work? Where can I go to get help?...... 37 13.2 I think I’ve found a security problem! What should I do?...... 37 13.3 Can i get Commercial Support or pay for an installation...... 37

14 Contributing to Baruwa 39 14.1 Reporting bugs...... 39 14.2 Submitting patches...... 39 14.3 Documentation...... 39 14.4 Donations...... 39 14.5 Translation...... 40

15 Upgrading 41 15.1 1.1.2...... 41 15.2 1.1.1...... 41 15.3 1.1.0...... 42 15.4 1.0.2...... 42 15.5 1.0.1...... 42

16 Migrate from Mailwatch 43 16.1 User contributed tips...... 43

17 User Guide 45 17.1 Interface primer...... 45 17.2 FAQ’s...... 47

18 Older documentation 49

ii Baruwa Documentation, Release 1.1.2

Release 1.1.2 Build Date June 27, 2016 Baruwa (swahili for letter or mail) is a web 2.0 MailScanner front-end. It provides an easy to use interface for managing a MailScanner installation. It is used to perform operations such as releasing quarantined messages, bayesian learning, whitelisting and blacklisting addresses, monitoring the health of the services etc. Baruwa is implemented using web 2.0 features (AJAX) where deemed ﬁt, graphing is also implemented on the client side using SVG, Silverlight or VML. Baruwa has full support for i18n, letting you support any language of your choosing. It includes reporting functionality with an easy to use query builder, results can be displayed as message lists or graphed as colorful and pretty interactive graphs. Custom MailScanner modules are provided to allow for logging of messages to the mysql database with SQLite as backup, managing whitelists and blacklists and managing per user spam check settings. Baruwa is open source software, written in Python/Perl using the Django Framework and MySQL or PostgreSQL for storage, it is released under the GPLv2 and is available for free download.

Contents 1 Baruwa Documentation, Release 1.1.2

2 Contents CHAPTER 1

Introduction

Baruwa (swahili for letter or mail) is a web 2.0 MailScanner front-end. It provides an easy to use interface for managing a MailScanner installation. It is used to perform operations such as releasing quarantined messages, bayesian learning, whitelisting and blacklisting addresses, monitoring the health of the services etc. Baruwa is implemented using web 2.0 features (AJAX) where deemed ﬁt, graphing is also implemented on the client side using SVG, Silverlight or VML. Baruwa has full support for i18n, letting you support any language of your choosing. It includes reporting functionality with an easy to use query builder, results can be displayed as message lists or graphed as colorful and pretty interactive graphs. Custom MailScanner modules are provided to allow for logging of messages to the mysql database with SQLite as backup, managing whitelists and blacklists and managing per user spam check settings. Baruwa is open source software, written in Python/Perl using the Django Framework and MySQL or PostgreSQL for storage, it is released under the GPLv2 and is available for free download.

3 Baruwa Documentation, Release 1.1.2

4 Chapter 1. Introduction CHAPTER 2

Features

• AJAX support for most operations • Reporting with AJAX enabled query builder • I18n support, allows use of multiple languages • Signature management / Branding • Mail queue management and reporting • Interactive SVG graphs • Emailed PDF reports • Archiving of old message logs • SQLite backup prevents data loss when MySQL or PostgreSQL is down • MTA integration for relay domains and transports configuration • Multi user profiles (No restrictions on username format) • User profile aware white/blacklist management • Ip / network addresses supported in white/blacklist manager • Easy plug-in authentication to external authentication systems (POP3, IMAP, SMTP, Active Directory and RADIUS supported out of the box) • Tools for housekeeping tasks (quarantine management, rule updates, quarantine notifications, etc) • Easy clustering of multiple servers • Works both with and without Javascript enabled (graphs require Javascript)

5 Baruwa Documentation, Release 1.1.2

6 Chapter 2. Features CHAPTER 3

Screenshots

Screenshots are on our site.

7 Baruwa Documentation, Release 1.1.2

8 Chapter 3. Screenshots CHAPTER 4

Requirements

4.1 Baruwa requirements

• Python >= 2.4 • Django >= 1.2 • django-celery • django-south • MySQL-Python >= 1.2.1p2 or Psycopg • GeoIP-Python • iPy • Any Web server that can run Django (Apache/mod_wsgi recommended) • A supported Message broker (RabbitMQ recommended) • MySQL or PostgreSQL • Dojo toolkit >= 1.5.0 • Reportlab • Lxml • Anyjson • UUID (Only for python 2.4) • Sphinx (Optional - to build documentation) • Pyrad (Optional for RADIUS/RSA SECURID authentication) • Python ldap (optional for Active directory authentication)

4.2 MailScanner requirements

• MailScanner >= 4.80.10-1 • DBI • DBD-MySQL or DBD-Pg • DBD-SQLite

9 Baruwa Documentation, Release 1.1.2

10 Chapter 4. Requirements CHAPTER 5

Source Installation

Note: Packages are available for Debian/Ubuntu, RHEL/SL/Centos and Fedora if you are using one of those OS’s rather install using the packages.

If you do not want to install to your global python directories or are just testing it is advised that you use a virtualenv python install. Virtualenv allows you to run multiple python installs and is easily managed as you do not need to be a privileged user to install packages. For more info on virtualenv please refer to its documentation.

5.1 Install Baruwa

You can install Baruwa either via the Python Package Index (PyPI) or from source.

5.1.1 Install via the Python Package Index (PyPI)

To install using pip: # pip install baruwa < 2.0.0

To install using easy_install: # easy_install baruwa < 2.0.0

5.1.2 Downloading and installing from source

Download the latest version of Baruwa 1.0 from PyPI You can install it by doing the following,: # tar xvfz baruwa-.tar.gz # cd baruwa- # python setup.py install

5.1.3 Using the development version

You can clone the repository by doing the following:

11 Baruwa Documentation, Release 1.1.2

# git clone git://github.com/akissa/baruwa.git # cd baruwa # python setup.py install

5.1.4 Install the Python GeoIP module

You need to install this manually as it does not build cleanly when installed automatically during Baruwa’s installation: # wget http://geolite.maxmind.com/download/geoip/api/python/GeoIP-Python-1.2.4.tar.gz # tar xzvf GeoIP-Python-1.2.4.tar.gz # cd GeoIP-Python-1.2.4 # python setup.py install

Link the Baruwa settings ﬁle to /etc/baruwa: # mkdir /etc/baruwa # baruwa_path=$(python -c "from distutils.sysconfig import get_python_lib; print get_python_lib()") # ln -s $baruwa_path/baruwa/settings.py /etc/baruwa/

5.2 Conﬁgure RabbitMQ

Create a user and virtual host for baruwa: # rabbitmqctl add_user baruwa your_password # rabbitmqctl add_vhost baruwa # rabbitmqctl set_permissions -p baruwa baruwa ".*" ".*" ".*"

Delete the guest user: # rabbitmqctl delete_user guest

See the RabbitMQ Admin Guide for more information.

Note: Please ensure that you control access to your RabbitMQ install as to prevent an unauthorized clients from accessing your broker.

5.3 Conﬁgure Baruwa

Create the database: # mysqladmin -u root -p create baruwa

Create a Mysql user for baruwa Run the command from the mysql prompt: mysql> GRANT ALL ON baruwa.* TO baruwa@localhost IDENTIFIED BY ''; mysql> flush privileges;

Note: You may want to secure your system by creating several users will limited rights as opposed to the above where the user has full access to the DB.

Conﬁgure the Baruwa settings

12 Chapter 5. Source Installation Baruwa Documentation, Release 1.1.2

Edit the Baruwa settings.py ﬁle: # vi /etc/baruwa/settings.py

Set the following options under the default DATABASE option: NAME='baruwa' USER='baruwa' PASSWORD='' HOST='localhost'

Populate the database: # baruwa-admin syncdb --noinput # for name in $(echo "accounts messages lists reports status fixups config"); do baruwa-admin migrate $name; done

Create the admin user account: # baruwa-admin createsuperuser

Set the rabbitMQ settings: CELERY_CONCURRENCY= 20 BROKER_HOST="localhost" BROKER_PORT= 5672 BROKER_USER="baruwa" BROKER_PASSWORD="your_password" BROKER_VHOST="baruwa"

Edit the settings.py ﬁle and make conﬁguration changes to suit your site.: # vi /etc/baruwa/settings.py

Warning: Make sure you change the SECRET_KEY, DO NOT USE THE DEFAULT, If you have a cluster the key should be the same on all the machines in the cluster.

Link to the dojo toolkit: # ln -s /path/to/dojo $baruwa_path/baruwa/static/js # ln -s /path/to/dojox $baruwa_path/baruwa/static/js # ln -s /path/to/dijit $baruwa_path/baruwa/static/js

Configure celeryd to run as a daemon You need to run celeryd as a daemon in order to process tasks such as Bayesian learning and message releases from the quarantine etc etc. Download the appropriate init script for your OS from the celery repository, then read the celery documentation on how to run celeryd as a daemon on your specific OS. Make sure you configure your system using the Django configuration examples. If you have any difficulties please refer to the Baruwa mailing list for assistance. Configure Email Signature management Baruwa now supports the management of email signatures / disclaimers from within the web interface. Signatures are configured on a domain and user level. Both HTML and text signatures are supported, HTML signatures support embedding of one graphical image, which can be uploaded via the HTML editor interface. The backend that handles the signatures needs to be initialized before you can begin to manage the signatures via the interface. To initialize the backend run:

5.3. Conﬁgure Baruwa 13 Baruwa Documentation, Release 1.1.2

# baruwa-admin initconfig

This will ask you for the hostname of the system you are setting up, and then initialize the system for you. The command does attempt to guess your hostname, so if its correct just press enter. You need to initialize each of your machines if you are running a clustered setup. If you are installing from source you need to create the directory structure to store you signature ﬁles: # install -p /etc/MailScanner/signatures/{users,domains}/{html,text,imgs} # chown celeryd.celeryd -R /etc/MailScanner/signatures/{users,domains}

5.3.1 Conﬁgure the Web server

Apache/mod_wsgi Make sure you have mod_wsgi installed and enabled. Use the sample configuration provided (extras/baruwa-mod_wsgi.conf) as a template. Copy to your apache configuration directory usually /etc/httpd/conf.d on Redhat and clones or /etc/apache2/conf.d/ on debian and clones. For others refer to your system docs for the location. Make sure that your apache is configured for name based virtual hosting such that you can run other sites on the same box if you wish to. Edit baruwa-mod_wsgi.conf and set ServerName to the hostname you will use to access baruwa

Note: If you installed using virtualenv, you need to customize and use virtual.wsgi instead of baruwa.wsgi in your mod_wsgi conﬁguration.

Restart apache for the conﬁguration to take effect.: # /etc/init.d/httpd reload

Lighttpd Use the generic Lighttpd django instructions. Nginx Use the nginx instructions from the nginx wiki Cherokee Use the cherokee cookbook instructions.

5.4 Conﬁgure MailScanner

It is assumed that you have a working MailScanner system already installed and conﬁgured, if you are installing from scratch please refer to their documentation on how to install and conﬁgure MailScanner. Install the Baruwa MailScanner Custom modules Copy them to the MailScanner custom functions directory: # confdir=$(/usr/sbin/Quick.Peek 'Custom Functions Dir' /etc/MailScanner/MailScanner.conf) # cp extras/{BaruwaSQL.pm, BaruwaLists.pm, BaruwaUserSettings.pm} $confdir/

Note: Starting with Baruwa version 1.1.0 you no longer have to edit and set the DB authentication details in each and every Custom module, you just set them up once in the MailScanner conﬁguration ﬁle, A sample

14 Chapter 5. Source Installation Baruwa Documentation, Release 1.1.2 configuration file is provided you simply customize that and drop it into the configuration directory and it will override the settings in your MailScanner.conf file.

Edit the provided MailScanner conﬁg ﬁle extras/baruwa-mailscanner.conf, you need to make sure the following options are correct: Quarantine User = exim #(Or what ever your `Run As User` is set to) DB DSN = DBI:mysql:database=baruwa;host=spam01;port=3306 #set to valid DSN DB Username = baruwa # your DB username DB Password = password # your DB password

To actually quarantine and later process messages with in Baruwa, set store as one of your keywords for the Spam Actions and High Scoring Spam Actions MailScanner options. The provided MailScanner configuration provides for SQL logging, Whitelists and Blacklists and Per user settings. Copy the file into the MailScanner configuration directory: # cp extras/baruwa-mailscanner.conf /etc/MailScanner/conf.d/baruwa.conf

In some cases your MailScanner conﬁguration directory is under /opt: # cp extras/baruwa-mailscanner.conf /opt/etc/MailScanner/conf.d/baruwa.conf

Apply conﬁguration changes Test your conﬁguration for any errors: # MailScanner --lint

Restart MailScanner: # /etc/init.d/MailScanner restart

5.5 Testing

Verify that is working Check your log ﬁles you should see Baruwa SQL logger: Aug 9 18:58:27 localhost MailScanner[8470]: Logging message 1OiVg7-0003zS-9s to Baruwa SQL Aug 9 18:58:27 localhost MailScanner[11052]: 1OiVg7-0003zS-9s: Logged to Baruwa SQL

Baruwa Lists: Aug 9 18:32:42 localhost MailScanner[27260]: Starting Baruwa whitelists Aug 9 18:32:42 localhost MailScanner[27260]: Read 6 whitelist items Aug 9 18:32:42 localhost MailScanner[27260]: Ip blocks whitelisted 192.168.1.0/24 192.168.2.0/24 xxx.xx.xxx.0/26

Baruwa User settings: Aug 9 15:00:03 localhost MailScanner[25708]: Baruwa - Populating spam score settings Aug 9 15:00:03 localhost MailScanner[25708]: Read 1 spam score settings Aug 9 14:59:53 localhost MailScanner[25668]: Baruwa - Populating high spam score settings Aug 9 14:59:53 localhost MailScanner[25668]: Read 1 high spam score settings

Point your browser to http://hostname_used login with admin user and password and start working. You can now use the interface to add users, domains and process messages, etc etc.

5.5. Testing 15 Baruwa Documentation, Release 1.1.2

5.6 Need help

If your installation is not working as expected, support is available, you can get free and friendly support from the list or paid support from the author or other companies that support baruwa.

5.7 Distribution / OS installation

• Baruwa on RHEL/SL/Centos. • Baruwa on Fedora. • Baruwa on Ubuntu/Debian.

16 Chapter 5. Source Installation CHAPTER 6

Baruwa on RHEL/SL/Centos

The Baruwa rpm that is provided only supports Apache out of the box, if you are running a different web server, please install from source or rebuild the source rpm to support your web server.

6.1 Install EPEL

The EPEL repo provides packages which are in Fedora but no yet included in RHEL/SL/CENTOS. Instructions on installing it can be found on EPEL You need to install this repo in order to access certain packages that are required by Baruwa.

6.2 Baruwa installation

A Baruwa RHEL/SL/Centos repo is now available at http://repo.baruwa.org/ To install from this repo you need to enable the repo EL-5: # rpm -Uvh http://repo.baruwa.org/el5/i386/baruwa-release-5-0.noarch.rpm

EL-6: # rpm -Uvh http://repo.baruwa.org/el6/i386/baruwa-release-6-0.noarch.rpm

Install the dependencies: # yum install mysql-server mod_wsgi rabbitmq-server

Note: If you are installing on RHEL/CENTOS 6 you need to run yum install django-pickleﬁeld

Install Baruwa, all the required dependencies not in the other repo’s will be resolved by packages shipped by the Baruwa repo: # yum install baruwa

6.3 Conﬁgure RabbitMQ

Create a user and virtual host for baruwa:

17 Baruwa Documentation, Release 1.1.2

# rabbitmqctl add_user baruwa your_password # rabbitmqctl add_vhost baruwa # rabbitmqctl set_permissions -p baruwa baruwa ".*" ".*" ".*"

Delete the guest user: # rabbitmqctl delete_user guest

See the RabbitMQ Admin Guide for more information.

Note: Please ensure that you control access to your RabbitMQ install as to prevent an unauthorized clients from accessing your broker.

6.4 Conﬁgure Baruwa

Create the database: # mysqladmin -u root -p create baruwa

Create a Mysql user for baruwa Run the command from the mysql prompt: mysql> GRANT ALL ON baruwa.* TO baruwa@localhost IDENTIFIED BY ''; mysql> flush privileges;

Note: You may want to secure your system by creating several users will limited rights as opposed to the above where the user has full access to the DB.

Conﬁgure the Baruwa settings Edit the Baruwa settings.py ﬁle: # vi /etc/baruwa/settings.py

Set the following options under the default DATABASE option: NAME='baruwa' USER='baruwa' PASSWORD='' HOST='localhost'

Populate the database: # baruwa-admin syncdb --noinput # for name in $(echo "accounts messages lists reports status fixups config"); do baruwa-admin migrate $name; done

Create the admin user account: # baruwa-admin createsuperuser

Set the rabbitMQ settings: CELERY_CONCURRENCY= 20 BROKER_HOST="localhost" BROKER_PORT= 5672 BROKER_USER="baruwa"

18 Chapter 6. Baruwa on RHEL/SL/Centos Baruwa Documentation, Release 1.1.2

BROKER_PASSWORD="your_password" BROKER_VHOST="baruwa"

Edit the settings.py ﬁle and make conﬁguration changes to suit your site.: # vi /etc/baruwa/settings.py

Warning: Make sure you change the SECRET_KEY, DO NOT USE THE DEFAULT, If you have a cluster the key should be the same on all the machines in the cluster.

Configure celeryd to run as a daemon You need to run celeryd as a daemon in order to process tasks such as Bayesian learning and message releases from the quarantine etc etc. An init script /etc/init.d/baruwa and configuration file /etc/sysconfig/baruwa are installed by the Baruwa rpm all you need to do is enable celeryd to be started at system boot by running: # chkconfig --level 35 baruwa on # service baruwa start

Conﬁgure Email Signature management Baruwa now supports the management of email signatures / disclaimers from within the web interface. Signatures are conﬁgured on a domain and user level. Both HTML and text signatures are supported, HTML signatures support embedding of one graphical image, which can be uploaded via the HTML editor interface. The backend that handles the signatures needs to be initialized before you can begin to manage the signatures via the interface. To initialize the backend run: # baruwa-admin initconfig

This will ask you for the hostname of the system you are setting up, and then initialize the system for you. The command does attempt to guess your hostname, so if its correct just press enter. You need to initialize each of your machines if you are running a clustered setup. Setup Web server Edit your apache conﬁgurations to enable virtual hosting if not enabled already. Then set the correct hostname in /etc/httpd/conf.d/baruwa.conf: # change to your hostname ServerName baruwa-alpha.local

Make sure mod_wsgi is enabled, uncomment the following line in /etc/httpd/conf.d/wsgi.conf: LoadModule wsgi_module modules/mod_wsgi.so

Restart apache.

6.5 Conﬁgure MailScanner

It is assumed that you have a working MailScanner system already conﬁgured, if you are installing from scratch please refer to their documentation on how to conﬁgure MailScanner. The Baruwa repo includes mailscanner and it will be installed automatically when you install baruwa.

6.5. Conﬁgure MailScanner 19 Baruwa Documentation, Release 1.1.2

Edit the provided Baruwa MailScanner conﬁg ﬁle /etc/MailScanner/conf.d/baruwa.conf, you need to make sure the following options are correct: Quarantine User = exim #(Or what ever your `Run As User` is set to) DB DSN = DBI:mysql:database=baruwa;host=spam01;port=3306 #set to valid DSN DB Username = baruwa # your DB username DB Password = password # your DB password

To actually quarantine and later process messages with in Baruwa, set store as one of your keywords for the Spam Actions and High Scoring Spam Actions MailScanner options. The provided MailScanner configuration provides for SQL logging, Whitelists and Blacklists and Per user settings. Apply configuration changes Test your configuration for any errors: # MailScanner --lint

Restart MailScanner: # /etc/init.d/mailscanner restart

6.6 Testing

Point your browser to http://hostname_used login with admin user and password and start working. You can now use the interface to add users, domains and process messages, etc etc.

6.7 Need help

If your installation is not working as expected, support is available, you can get free and friendly support from the list or paid support from the author or other companies that support baruwa.

20 Chapter 6. Baruwa on RHEL/SL/Centos CHAPTER 7

Baruwa on Fedora

The Baruwa rpm that is provided only supports apache out of the box, if you are running a different web server, please install from source or rebuild the source rpm to support your web server.

7.1 Baruwa Installation

A Baruwa Fedora repo is now available at http://repo.baruwa.org/

Note: The Baruwa Fedora repo also ships the mailscanner rpm package.

To install from this repo you need to enable the repo: # rpm -Uvh http://repo.baruwa.org/f15/i386/baruwa-release-15-0.noarch.rpm

Install the dependencies: # yum install mysql-server rabbitmq-server python-amqplib django-picklefield

Install Baruwa: # yum install baruwa

7.2 Conﬁgure RabbitMQ

Create a user and virtual host for baruwa: # rabbitmqctl add_user baruwa your_password # rabbitmqctl add_vhost baruwa # rabbitmqctl set_permissions -p baruwa baruwa ".*" ".*" ".*"

Delete the guest user: # rabbitmqctl delete_user guest

See the RabbitMQ Admin Guide for more information.

Note: Please ensure that you control access to your RabbitMQ install as to prevent an unauthorized clients from accessing your broker.

21 Baruwa Documentation, Release 1.1.2

7.3 Conﬁgure Baruwa