1

Topic: Disabling oubout Amavisd scanning

==== Required information ====
- iRedMail version: iRedAdmin-Pro-MySQL-1.6
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Linux/BSD distribution name and version: CentOS 6.4
- Related log if you're reporting an issue:
====


The past 2 days we pushed out 30,000 plus emails  to clients which took a bit over 50+ hours to send.
A bit perturbed by sever lack of speed postfix was delivering mail we determined that the issue was that AMAVISD was processing all output emails. This of course is be design, however, it chews up entirely to much IO on the disks and slows delivery performance down severly.

Benchmark runs today with Amavisd disabled in /etc/postfix/main.cf:
#content_filter = smtp-amavis:[127.0.0.1]:10024

-- > The time to send 200 emails to the same destination address was 44 seconds.

With amavisd enabled and performing in its default configuration:
-- > The time to send 200 emails to the same destination address was 7min ~14sec

In an attempt to maintain INBOUND scanning but disable outbound scanning I followed the wiki
iredmail.org/wiki/index.php?title=IRedMail/FAQ/Disable.Spam.Virus.Scanning.for.Outgoing.Mails

Of which, for CentOS6, the amavisd.conf is not in /etc/amavisd.conf, but is now within it's own dir in /etc/amavisd/amavisd.conf

I've modified the section as follows, which appears to have mitigated some of the IO issues, however, to send 200 emails, will takes ~7minutes to complete.

The only conclusion I can come to is that Amavisd is still processing the outbound emails instead of skipping them.

*** Is there a concrete manner in which to determine if amavis d has stopped scanning outbound emails? ***

The only indication I can see so far in the logs are:
Full scanning shows this value: "Hits: 1.179"
With config below, logs show this value: "Hits: -"

Also, is  the following the proper way to reload the amavisd configs?
# /etc/init.d/amavisd restart

In a nutshell I need to get send performance up to speed while still maintaining inbound scans and stop outbound scanning.

/etc/amavisd/amavisd.conf
=========================

$policy_bank{'MYNETS'} = {   # mail originating from @mynetworks
  originating => 1,  # is true in MYNETS by default, but let's make it explicit
#  os_fingerprint_method => undef,  # don't query p0f for internal clients
#-  allow_disclaimers => 1, # enables disclaimer insertion if available

#---> PREVENT SCANNING OF OUTBOUND MESSAGES <---#
#################################################
    bypass_spam_checks_maps => [1],             #
    bypass_virus_checks_maps => [1],            #
    bypass_header_checks_maps => [1],           #
#################################################
};

$policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our users
  originating => 1,  # declare that mail was submitted by our smtp client
#-  allow_disclaimers => 1,  # enables disclaimer insertion if available
  # notify administrator of locally originating malware
#-  virus_admin_maps => ["root\@$mydomain"],
#-  spam_admin_maps  => ["root\@$mydomain"],
#-  warnbadhsender   => 1,
  # forward to a smtpd service providing DKIM signing service
#-  forward_method => 'smtp:[127.0.0.1]:10027',
  # force MTA conversion to 7-bit (e.g. before DKIM signing)
#-  smtpd_discard_ehlo_keywords => ['8BITMIME'],
#-  bypass_banned_checks_maps => [1],  # allow sending any file names and types
#-  terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS option

#---> PREVENT SCANNING OF OUTBOUND MESSAGES <---#
#################################################
    bypass_spam_checks_maps => [1],             #
    bypass_virus_checks_maps => [1],            #
    bypass_header_checks_maps => [1],           #
#################################################

};

$policy_bank{'MYUSERS'} = {
    # declare that mail was submitted by our smtp client
    originating => 1,

    # enables disclaimer insertion if available
#-    allow_disclaimers => 1,

    # notify administrator of locally originating malware
#-    virus_admin_maps => ["root\@$mydomain"],
#-    spam_admin_maps  => ["root\@$mydomain"],
#-    warnbadhsender   => 0,

    # forward to a smtpd service providing DKIM signing service
    #forward_method => 'smtp:[127.0.0.1]:10027',

    # force MTA conversion to 7-bit (e.g. before DKIM signing)
#-    smtpd_discard_ehlo_keywords => ['8BITMIME'],

    # don't remove NOTIFY=SUCCESS option
#-    terminate_dsn_on_notify_success => 0,

    # don't perform spam/virus/header check.

#---> UNCOMMENTED TO PREVENT SCANNING OF OUTBOUND MESSAGES <---#
#################################################
    bypass_spam_checks_maps => [1],             #
    bypass_virus_checks_maps => [1],            #
    bypass_header_checks_maps => [1],           #
#################################################

    # allow sending any file names and types
    #bypass_banned_checks_maps => [1],
};

2

Re: Disabling oubout Amavisd scanning

My inquiry remains, however I've found there are issues in our disk subsystem.
After tweaking Amavisd to use 20 workers, with full scans the server  now spits out 166 emails a minute. A tmpfs ram drive is mounted to amavisd's $tempdir to buffer out some latency.

3

Re: Disabling oubout Amavisd scanning

If you send out email through port 587 (submission), you can disable content filter (spamassassin, clamav, DKIM, disclaimer) completely by modify 'submission' entry in /etc/postfix/master.cf like below:

submission inet n       -       n       -       -       smtpd
  -o smtpd_enforce_tls=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o content_filter=

What it does is simply appending line '-o content_filter=', then Postfix won't invoke any content filter for clients who send out email through port 587.

WARNING: DKIM signing is provided by Amavisd, so above modification means your outgoing mails won't be signed with a DKIM key.

To speed up Amavisd, here's some tips:

*) use a tmpfs to speed up disk I/O (it uses memory directly instead of hard disk): http://www.arschkrebs.de/postfix/amavisd_tmpfs.shtml

*) Set '$max_servers' to the number of your CPUs. And it MUST be the same as the number defined in /etc/postfix/main.cf. For example:

# In amavisd.conf:
$max_servers = 8;

# In /etc/postfix/main.cf.
# NOTE: 'smtp-amavis' is the transport name defined in /etc/postfix/master.cf. We use
#       [TRANSPORT]_destination_recipient_limit instead of modifying /etc/postfix/master.cf.
smtp-amavis_destination_recipient_limit = 8

*) Bypass one more check in amavisd.conf (in $policy_bank):

bypass_virus_checks_maps => [1],
    bypass_spam_checks_maps => [1],
    bypass_banned_checks_maps => [1],
    bypass_header_checks_maps => [1],

*) Disable SNMP tracking if you don't use it at all. It's used by 'amavisd-nanny' and 'amavisd-agent'.

# In amavisd.conf
$enable_db = 0;

*) Retire an Amavisd child process after that many accepts. Default is 20, you can increase it on a busy server, for example, 40, or even lager.

# In amavisd.conf
$max_requests = 40;

Please do let us know whether it helps or not.