HOWTO: Upgrade layer1 MailScanner

[goodmove]

Originally posted by anand
With a PIV 2.4Ghz, 1GB Ram and 20-30k mails a day mailscanner kills the box.

That's when a dual-CPU box helps.

Do you use blocklists in Exim? If you don't use any, you may end up scanning thousands of spam emails for viruses.

[goodmove]

Originally posted by chirpy
I'm managing MailScanner on many servers and have never had a problem with high CPU usage despite high mail loads. It's generally a matter of configuring it correctly and making sure you use ClamAV appropriately.

I've had it running on 2 RaQ4's (350Mhz CPU's with 128MB RAM) with no problems.

But, as you say, if your server is somewhat overloaded to start with, you may well experience issues and there are , of course, other solutions. I do think, however, that you'll find it hard to beat MailScanner for its feature set and simple configurability and scalability.

Agreed about MS's config flexibility.

2 questions: What do you mean by using Clamav appropriately?

When using SA from inside MS, does the email still get filtered by SA if MS finds a virus in it? In what sequence do the 2 interact with each other?

[chirpy]

using Clamav appropriately

Just that you should have MailScanner configured to use clamavmodule (Mail::ClamAV) and not clamav which will cause high cpu.

I believe that it will still run SA on an email that contains a virus.

One other way to reduce load is to use SA through MailScanner and disable it in WHM. This is because the cPanel implementation of SA delivers the same email twice through exim and causes MailScanner to scan it twice.

[dory36]

Thanks for the info re ClamAV vs clamav - will have to see about adding the module.

Re running SA through WHM vs MS: The only reason I see to use the WHM version is that when MS runs SA, it ignores ~/.spamassassin/user_prefs so all users have to have the same settings (or we get stuck with customizing rules for the whole server to accommodate each user's whims).


Or am I missing something?

Bill

[chirpy]

You're quite right, that's it in a nutshell. MS+SA is centrally controlled. cPanel+SA is controlled by the user, but with MS there, MS will scan emails twice because of the way cPanel has integrated SA into exim.

[goodmove]

Originally posted by chirpy
Just that you should have MailScanner configured to use clamavmodule (Mail::ClamAV) and not clamav which will cause high cpu.

I believe that it will still run SA on an email that contains a virus.

One other way to reduce load is to use SA through MailScanner and disable it in WHM. This is because the cPanel implementation of SA delivers the same email twice through exim and causes MailScanner to scan it twice.

I've installed the clamav module last night and I noticed that, as you say, it reduces the CPU load.

I am just wondering if MS will still run SA on an email set to be discarded when a virus is found.

There is this section in MS config which grabbed my attention. Would than mean MS can make use of the user_prefs files in user directories?

Code:

# The per-user files (bayes, auto-whitelist, user_prefs) are looked   
# for here and in ~/.spamassassin/. Note the files are mutable.
# If this is unset then no extra places are searched for.
# If using Postfix, you probably want to set this as shown in the example
# line at the end of this comment, and do
#      mkdir /var/spool/MailScanner/spamassassin
#      chown postfix.postfix /var/spool/MailScanner/spamassassin
#SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin
SpamAssassin User State Dir =

[dory36]

This looks awfully promising -- I tested it by changing the last 2 lines to read:
SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin
#SpamAssassin User State Dir =

I also tried
#SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin
SpamAssassin User State Dir = ~/.spamassassin

but a test message from a user whitelisted in the ~/.spamassassin/user_prefs file did not get the score adjustment for a whitelisted user, so there is obviously something more than that.

Bill

[goodmove]

Originally posted by dory36
This looks awfully promising -- I tested it by changing the last 2 lines to read:
SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin
#SpamAssassin User State Dir =

I also tried
#SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin
SpamAssassin User State Dir = ~/.spamassassin

but a test message from a user whitelisted in the ~/.spamassassin/user_prefs file did not get the score adjustment for a whitelisted user, so there is obviously something more than that.

You are getting there.

Try adding a forward slash at the end of ~/.spamassassin like in the example in that paragraph. It maybe worth another try.

[dory36]

Good idea, but the slash didn't do anything either.

Sigh.

[chirpy]

I don't think that will ~/.spamassassin work, unfortunately. This is because MailScanner will be running under the mail:mailnull account name and not the actual user, so ~/ won't refer to the users login directory. This differs from exim which actually switches to that user when delivering mail and so /~ is valid.

I am just wondering if MS will still run SA on an email set to be discarded when a virus is found.

Oddly, it does still do that.

[goodmove]

That IS odd. Why on earth is Mailscanner trying to scan an email for spam if it's gonna be discarded anyway?

Does that happen if you tell MS not to quarantine the messages and to just simply scrap them?

[chirpy]

Haven't teste it, but I would hope not.

I may pop over to MailScanner and ask them if this is an option that should be included.

[chirpy]

OK, here's the answer and reasoning:

MailScanner performs spam scanning before virus scanning. If the spam action is anything other than deliver or forward (e.g. delete) then the mail is not scanned for viruses.

The reason that MailScanner does spam scanning before virus scanning is down to performance considerations. Virus scanning is much more resource intensive that spam scanning.

So, it makes sense to scan for spam first and then to determine whether virus scanning is necessary since the spam could be deleted and so no further action would be necessary.

If you're confident that high scoring spam is spam, then you can delete it and so avoid the overhead of virus scanning.

[goodmove]

Thanks. That makes good sense. The high score spam can now be safely deleted without the overhead of a virus scan.

That also means it would probably be better to run the email blocklists from SA instead of MS.

[cretu]

Hello,

I am having problem with installing MailScanner on one of the servers. I have followed this post step-by-step, however, when running MailScanner it shows up in "top" processes as:

PHP Code:

MailScanner <defunct> 


I have tailed the logs and this is what I get:

PHP Code:

May 27 19:23:13 orion MailScanner[23787]: MailScanner E-Mail Virus Scanner version 4.30.3 starting...
May 27 19:23:13 orion MailScanner[23787]: File containing list of incoming queue dirs (/var/spool/exim_incoming/input) does not exist 


And this is probably becasuse of the fact the file MailScanner.lock hasn't been written to /tmp folder.

Now, I have checked out /tmp and it isn't locked out and PHP session files are being written to it without any problem.

PLease advice.

Cretu