On Fri, Jan 10, 2003 at 03:51:52PM +0100, Kjetil Kjernsmo wrote:
| Hi folks!
|
| I have some real trouble with my mail server. It is running on a Pentium
| PRO 180 MHz box with 96 MB RAM, and last night the whole thing almost
| died. My analysis of the situation makes me think that I need to work a
| lot more on my config.
| Short version: Has anybody made a setup of Exim, SpamAssassin and some
| anti-virus-software (amavis, clamav etc) that does the following:
More-or-less. A lot of the (snipped) requirements are variations on
the same theme.
| Long version: I did apparently get hit rather badly by a bunch of
| e-mails with large virus-attachments last night at about 3am my time.
Some virii can be trivially trashed with a simple string or regex
match. I feel that an entire AV scanner is overkill. If you upgrade
to exim 4 you can use the ACLs to reject (not bounce) that sort of
junk during the SMTP conversation.
| At the same time, some lists I administer on a server with an old
| Mailman install got spammed hard, causes Mailman to send me notices.
| Due to that Spamassassin was busy scanning those viruses, and my new
| 2.43 install didn't get Razor to work as expected, the notices from
| Mailman bounced.
Messages shouldn't bounce just becase SA had problems contacting the
razor servers. Regardless of the scanning, the message should have
been frozen instead. In any case you'll get better performance if you
don't use razor.
| The funny thing with this install (which isn't mine, I can't fix it)
| is that it reacts to a bounce from an admin, with sending the admin
| another message complaining about the bounce... Which bounces, of
| course, so it sends another, and another...
That is a /really/ /really/ bad configuration. Bounces can't bounce.
A bounce is sent with the NULL ("<>") envelope sender (as per RFC 821
and 2821) so that this sort of situation can't occur. A bounce that
fails to be delivered successfully is frozen because it is
undeliverable and unbounceable. You can drop the frozen bounces
manually, or have a timeout set to drop them after some period of time
(which is good, since the problem may be temporary DNS failure or
something).
| Half an hour later, syslog indicates that my machine ran out of
| memory, and when I came to work this morning, everything had pretty
| much stalled...
Yep. Fortunately, the kernel won't die in an out-of-memory situation.
It just starts killing processes in an effort to kill the resource
hog. However, you may not have a functional system if the wrong
processes are killed (eg 'init' -- I had that happen on a machine with
a really small amount of memory).
| Nevertheless, I really need Spamassassin working, becaue I'm used to
| getting spammed hard.
Tips for performance tuning SA :
1) use the spamc/spamd combination -- it stresses the system a
lot less
2) Limit SA to scan only a few messages concurrently. Add '-m 5'
to the command line options passed to spamd.
3) Don't scan really large messages, or scan just a subset of them
(btw, the default for spamc is to not send messages larger
than 250k to spamd; you can adjust this with the "-s" option
or by conditions on the director in exim.conf)
| But obviously, I would rather have a virus scanner take care of
| those large MS-virus-attachments, so SA won't have to deal with
| those.
Naturally, but I would just use a version 4 ACL or the system filter
(I believe the system filter will be run before the director that runs
SA, the filter can "fail" (bounce) or "seen finish" (drop) the
message)
| I hope this could reduce the load somewhat in situations like
| this. (Or would it?)
It might, but it might not. It depends on where the size falls in
relation to other thresholds (like the 250k threshold in spamc).
| I have allready grabbed his SpamAssassin backport,
Version 2.43? You shouldn't be running anything older than that.
| and Clamav and Amavis are both there,
I don't know how these are in terms of performance or load on the
system. I have heard that Amavis can pass the message through SA.
| So, if anybody has done something like this, I would be very happy
| if you could help... :-)
Have you seen this :
http://dman.ddts.net/~dman/config_docs/index_.html
Using a setup like that, adjust the "condition =" setting on the
spamcheck_director. Use that to exclude mails submitted locally and
via localhost (you don't harbor spammers on your system, right?). You
can also have the director skip the message if it is large or based on
the recipient.
The main trick, as you suspect, is to determine which messages
scanning is useful and which it is wasteful, then don't scan the
messages that don't need it.
HTH,
-D
--
How great is the love the Father has lavished on us,
that we should be called children of God!
1 John 3:1
http://dman.ddts.net/~dman/
Attachment:
pgpmpQ7HmKwFj.pgp
Description: PGP signature