Offloading my ISPConfig: Placing an External Amavisd & Postgrey

Details
Category: Technology

User Rating: 5 / 5

Star Active Star Active Star Active Star Active Star Active
 

I currently have an ISPConfig3 cluster running on different VPS'es for my company. ISPConfig3 is very nice, I can handle within the same interface the websites, databases, accounts and mail. My cluster runs perfectly, however when I start having a lot of hits because of visitors to my webpages or because of SPAM the daemons start forking and as a consequence, the operative system swaps and all go slow.

I was then looking for a solution that doesn't involve adding more resources to the servers. After analyzing how ISPConfig 3 deploys the daemons in my Linux CentOS 7, I figure out that taking out amavisd, clamd and postgrey will help a lot.

Why these two daemons? Well, there are two big reasons. The first one is because email anti-spam and the greylist filtering service are a common task; there is no need to have multiple daemons doing the same. And the second and most important is that they are in perl, and according to my readings, perl has a huge footprint. I don't have the document, but I remember I read somewhere each perl process uses 16BM of RAM. So, moving out these two daemons, I potentially will free at least 64 MB in each server. I am not sure how many RAM does clamd use.

So, I will describe what I have done.

Configuring the External Amavis, Clamd and Postgrey Daemons

As the image shows, this is my architecture.

external amavisd postgrey

Install the amavisd, clamav and postgrey from the RPM's that CentOS provides. Those are really good and enough. Clamav doesn't need any configuration, it is called by amavisd.

Configuring Amavisd

Copy the /etc/amavisd/amavisd.conf from an ISPConfig3 server and then, in the new server d the following modifications:

  • $max_server = 5; # or any other number you consider is better
  • $mydomain = 'YOUR_FQDN'; # this helps to trace correctly in the MIME headers
  • $inet_socket_bind = undef;
  • @inet_acl = qw( 127/8 10/8 172.16/12 192.168/16 );
  • in the $policy_bank{'ORIGINATING'} section, modify forward_method => 'smtp:[127.0.0.1]:10027',
  • comment out #$notify_method  = 'smtp:*:*';
  • $forward_method = 'smtp:*:*';
  • make sure the @lookup_sql_dsn has the right access to the database.

 

Files:
script.png external-amavis.conf.patch HOT
(3 votes)

This patch will help you to figure out how to move your Amavisd daemon out of your ISPConfig3 server

License  GNU/GPL link_extern.gif
Date  2019-05-26
System   Linux
File Size  3 kB
Download  790
Download

Configuring a Local Postfix

In the Amavisd server, you will need to have this in your /etc/postfix/master.cf

127.0.0.1:10027 inet n - n - - smtpd
       -o content_filter=
       -o local_recipient_maps=
       -o relay_recipient_maps=
       -o smtpd_restriction_classes=
       -o smtpd_client_restrictions=
       -o smtpd_helo_restrictions=
       -o smtpd_sender_restrictions=
       -o smtpd_recipient_restrictions=permit_mynetworks,reject
       -o mynetworks=127.0.0.0/8
       -o strict_rfc821_envelopes=yes
       -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
       -o smtp_send_xforward_command=yes
           -o milter_default_action=accept
       -o milter_macro_daemon_name=ORIGINATING
       -o disable_dns_lookups=yes

For security reasons, you may want to disable the port 25/tcp in the master.cf file as well.

Configuring Postgrey

This is quite easy:

  • Edit /etc/sysconfig/postgrey and put something like: POSTGREY_OPTS="--delay=60 -i 192.168.7.17:10023"

Configuring your Postfix in your ISPConfig3

Before turning off the local amavisd and postgrey, we need to tell the postfix to point to the external file. So, I did the following:

  • edit the /etc/postfix/master.cf and look for the service definition 127.0.0.1:10025, change it to 10025. This makes to listen to all the ports, you may need later to put a firewall rule or you can clone the service to listen to only a specific interface, it depends on your infrastructure. In that same definition, make sure the mynetworks parameter has the correct value.
  • edit the /etc/postfix/main.cf file and look for the following lines: greylisting and content_filter, put values like: greylisting = check_policy_service inet:192.168.7.17:10023 and content_filter = amavis:[192.168.7.17]:10024
  • edit the file /etc/postfix/tag_as_foreign.re and put only this line /^/ FILTER amavis:[192.168.7.17]:10024
  • edit the file /etc/postfix/tag_as_originating.re and put only this line /^/ FILTER amavis:[192.168.7.17]:10026

Restart your Postfix. You can disable now clamd (clamav), postgrey and amavisd.

SPF DNS Changes

Your SPF records should reflect the IP of your Amavisd server.

Things to Do

DKIM will not work unless you copy manually the files or write a custom script. Some notes:

  • Amavisd signs
  • DKIM keys are placed in /var/lib/amavis/dkim/
  • The file /etc/amavisd/60-dkim adds a line each time you tell ISPConfig3 to enable DKIM

The idea is to copy the keys and concatenate all the files, but this is not always too easy if you have more than two servers. I will write about this when I figure it out.

Good luck!

blog comments powered by Disqus

About

Read about IT, Migration, Business, Money, Marketing and other subjects.

Some subjects: FusionPBX, FreeSWITCH, Linux, Security, Canada, Cryptocurrency, Trading.