The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Clamav and spamd are filling my /tmp

Discussion in 'E-mail Discussions' started by anton_latvia, Nov 2, 2007.

  1. anton_latvia

    anton_latvia Well-Known Member
    PartnerNOC

    Joined:
    May 11, 2004
    Messages:
    348
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Latvia
    cPanel Access Level:
    Root Administrator
    On some servers we notice interesting folders in /tmp:
    drwx------ 3 root root 1024 Oct 28 17:42 spamd-17115-init/
    drwx------ 2 root root 1024 Nov 2 00:07 spamd-19979-init/
    drwx------ 3 root root 1024 Nov 2 09:46 spamd-23743-init/
    drwx------ 9 root root 1024 Nov 2 09:46 clamav-ccca92c8db70cb9f28e0a1b3127348a3/
    drwx------ 2 root root 1024 Nov 2 09:43 clamav-cd07653ac9e024e71a7b89924cccc4bb/
    drwx------ 5 root root 1024 Nov 2 09:46 clamav-d1d05b53fc85f9b4be766ec1d13d198a/

    They do take some space and from time to time grow pretty big. Is that normal? Is there any limit or configuration for these things?

    Anton.
     
  2. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    that happens when spamd/clamav crash and leave their temporary files behind.

    if you are on a VPS then you could be using too many resources and the VPS node is killing your processes.
     
  3. anton_latvia

    anton_latvia Well-Known Member
    PartnerNOC

    Joined:
    May 11, 2004
    Messages:
    348
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Latvia
    cPanel Access Level:
    Root Administrator
    No, that's a dedicated server. Too many resources... Any way to limit and make spamd more stable? Since upgrade we do have problems with crashed spamd all over the servers. I have already tried to reinstall exim, spamassassin and courier (just in case), but this did not help much.

    Anton.
     
  4. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    i can't say why SA is crashing but here it never crashes on any of our servers.

    are you using custom rules from SARE or your own? maybe your Perl version is too old?

    or you are getting too much spam and SA is overloaded.
     
  5. anton_latvia

    anton_latvia Well-Known Member
    PartnerNOC

    Joined:
    May 11, 2004
    Messages:
    348
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Latvia
    cPanel Access Level:
    Root Administrator
    No, we don't use SARE rules, but I am thinking of using them. Perl is fine, I reinstalled it several times as well, but about too much spam emails - that could be true - we are hosting approx. 1000-1500 clients on each server. So if too many emails are coming in - which processes should be added - spamd-children?

    anton.
     
  6. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    SARE are great rules, only problem is that they raise memory usage in SA, so if you had memory limits (like on a VPS) then you'd have a problem.

    Yes, raise the max-children in order to process more emails concurrently, but at the same time you should limit the number of incoming emails in the queue (stop the MTA from passing them to SA).
     
  7. anton_latvia

    anton_latvia Well-Known Member
    PartnerNOC

    Joined:
    May 11, 2004
    Messages:
    348
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Latvia
    cPanel Access Level:
    Root Administrator
    hm... Did not really get your idea. The only way I can limit - is to set limit for smtp connections. And if I set it too low - customers start to complain, that they can not send emails through us. Here are my exim's settings:

    ignore_bounce_errors_after = 45m
    auto_thaw = 4h
    timeout_frozen_after = 3d
    smtp_enforce_sync = true

    queue_only_load = 4
    deliver_queue_load_max = 10

    smtp_load_reserve = 7
    smtp_accept_max=100
    smtp_accept_max_per_host = 5
    smtp_receive_timeout=1m

    remote_max_parallel = 5
    queue_run_max = 25
    log_selector = +all

    I also have the following setting enabled:
    Reject mail at SMTP time if the spam score from spamassassin is greater than 15.0.

    Maximum Children for spamd is set to "10". For some reason some spamd processes hangs with 100% cpu load as well..

    So as far as I understand, SA will check the incoming mail before adding it to the queue for delivery. Am I missing or mixing something wrong?

    Anton
     
    #7 anton_latvia, Nov 5, 2007
    Last edited: Nov 5, 2007
  8. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    I have a lot more strict rules than you. For example, i only allow 2-5 max spamd children per server, anything more and it causes problems.

    Also, my SMTP limits are half of what you got, for example:
    smtp_connect_backlog = 25
    smtp_accept_max = 50

    The idea is to limit connections so that a remote smtp will re-try to send an email after a while, this also prevents lots of spam (because custom spam software don't retry). Of course you shouldn't over do it because clients won't be able to send emails.

    Since your SA is dying every now and then, it means you have to:

    1) limit SA children, try 5 and raise it by 1 each time if you get this error:
    prefork: server reached --max-children setting, consider raising it

    2) limit SMTP connections, something like 50 and see if you have complaints from people that they can't send emails. Its also possible to raise the smtp_connect_backlog so that connections aren't lost. Thus, the MTA won't hammer your SA that badly.

    3) block incoming connections at the MTA level by enabling the cPanel option to block incoming IP addresses listed in SpamCop and Zen. That should cut spam before they are given to SA, so you won't hammer your SA with extra spam that would have been blocked anyway.

    i hope this helps.
     
Loading...

Share This Page