1

Topic: Clamd high CPU usage

============ Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.2
- Linux/BSD distribution name and version: Centos 7 (1 CPU, 1GB RAM)
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache 2.4.6
- Manage mail accounts with iRedAdmin-Pro? No
- Related log if you're reporting an issue:
====

Hi, thank you for iRedMail! It is working great! I followed the installation notes and did exactly what was told and it worked in 5 minutes!

My problem: I woke up to day with the Linode notification that CPU usage is ore than 100% in my mail server.

I took a look and found out following:
1- in top results: clamd with amavis user is eating the CPU, 99%.
2- in /var/log/messages: many repeated messages for killing and restarting clamd:

Sep  7 13:17:46 mx kernel: mysqld invoked oom-killer: gfp_mask=0x201da, order=0, oom_score_adj=0
Sep  7 13:17:46 mx kernel: mysqld cpuset=/ mems_allowed=0
Sep  7 13:17:46 mx kernel: CPU: 0 PID: 3742 Comm: mysqld Not tainted 4.1.5-x86_64-linode61 #7
Sep  7 13:17:46 mx kernel: Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.1-0-g4adadbd-20150316_085822-nilsson.home.kraxel.org 04/01/2014
Sep  7 13:17:46 mx kernel: 0000000000000000 0000000000000000 ffffffff8199ad1d ffff88003c6cf380
Sep  7 13:17:46 mx kernel: ffffffff819957d8 ffffffff81139cad ffff88003e031000 ffff88003e031000
Sep  7 13:17:46 mx kernel: ffffffff811b5a83 ffff880029a9ba08 01ff880029a9ba08 0000000000000000
Sep  7 13:17:46 mx kernel: Call Trace:
Sep  7 13:17:46 mx kernel: [<ffffffff8199ad1d>] ? dump_stack+0x40/0x50
Sep  7 13:17:46 mx kernel: [<ffffffff819957d8>] ? dump_header+0x7b/0x1fe
Sep  7 13:17:46 mx kernel: [<ffffffff81139cad>] ? css_next_descendant_pre+0x1c/0x34
Sep  7 13:17:46 mx kernel: [<ffffffff811b5a83>] ? mem_cgroup_iter+0x117/0x319
Sep  7 13:17:46 mx kernel: [<ffffffff811b8f06>] ? vmpressure+0x1e/0x78
Sep  7 13:17:46 mx kernel: [<ffffffff811793d2>] ? oom_kill_process+0xc5/0x387
Sep  7 13:17:46 mx kernel: [<ffffffff81178fba>] ? find_lock_task_mm+0x2c/0x7b
Sep  7 13:17:46 mx kernel: [<ffffffff810dfded>] ? has_ns_capability_noaudit+0x13/0x1b
Sep  7 13:17:46 mx kernel: [<ffffffff81179b19>] ? __out_of_memory+0x433/0x473
Sep  7 13:17:46 mx kernel: [<ffffffff81179c9a>] ? out_of_memory+0x52/0x67
Sep  7 13:17:46 mx kernel: [<ffffffff8117ddf5>] ? __alloc_pages_nodemask+0x724/0x862
Sep  7 13:17:46 mx kernel: [<ffffffff811ac081>] ? alloc_pages_current+0xb2/0xcf
Sep  7 13:17:46 mx kernel: [<ffffffff811784ba>] ? filemap_fault+0x280/0x3b4
Sep  7 13:17:46 mx kernel: [<ffffffff81196b29>] ? __do_fault+0x3f/0x79
Sep  7 13:17:46 mx kernel: [<ffffffff8119a5e5>] ? handle_mm_fault+0x3c3/0xf18
Sep  7 13:17:46 mx kernel: [<ffffffff8111c67d>] ? hrtimer_try_to_cancel+0xa0/0xab
Sep  7 13:17:46 mx kernel: [<ffffffff8114781c>] ? __audit_syscall_exit+0x208/0x224
Sep  7 13:17:46 mx kernel: [<ffffffff8104522c>] ? __do_page_fault+0x320/0x37b
Sep  7 13:17:46 mx kernel: [<ffffffff819a3808>] ? async_page_fault+0x28/0x30
Sep  7 13:17:46 mx kernel: Mem-Info:
Sep  7 13:17:46 mx kernel: active_anon:221029 inactive_anon:1945 isolated_anon:0
 active_file:45 inactive_file:45 isolated_file:0
 unevictable:0 dirty:0 writeback:0 unstable:0
 slab_reclaimable:2996 slab_unreclaimable:5528
 mapped:632 shmem:2007 pagetables:6387 bounce:0
 free:1952 free_pcp:38 free_cma:0
Sep  7 13:17:46 mx kernel: Node 0 DMA free:3944kB min:60kB low:72kB high:88kB active_anon:8976kB inactive_anon:188kB active_file:0kB inactive_file:0kB unevictable:0kB isol$
Sep  7 13:17:46 mx kernel: lowmem_reserve[]: 0 972 972 972
Sep  7 13:17:46 mx kernel: Node 0 DMA32 free:3864kB min:3956kB low:4944kB high:5932kB active_anon:875140kB inactive_anon:7592kB active_file:180kB inactive_file:180kB unevi$
Sep  7 13:17:46 mx kernel: lowmem_reserve[]: 0 0 0 0
Sep  7 13:17:46 mx systemd: clamd@amavisd.service: main process exited, code=killed, status=9/KILL
Sep  7 13:17:46 mx systemd: Unit clamd@amavisd.service entered failed state.
Sep  7 13:17:46 mx kernel: Node 0 DMA: 2*4kB (MR) 1*8kB (R) 0*16kB 1*32kB (R) 1*64kB (R) 0*128kB 1*256kB (R) 1*512kB (R) 1*1024kB (R) 1*2048kB (R) 0*4096kB = 3952kB
Sep  7 13:17:46 mx kernel: Node 0 DMA32: 4*4kB (ER) 1*8kB (R) 0*16kB 0*32kB 2*64kB (R) 1*128kB (R) 0*256kB 1*512kB (R) 1*1024kB (R) 1*2048kB (R) 0*4096kB = 3864kB
Sep  7 13:17:46 mx kernel: 2101 total pagecache pages
Sep  7 13:17:46 mx kernel: 0 pages in swap cache
Sep  7 13:17:46 mx kernel: Swap cache stats: add 0, delete 0, find 0/0
Sep  7 13:17:46 mx kernel: Free swap  = 0kB
Sep  7 13:17:46 mx kernel: Total swap = 0kB
Sep  7 13:17:46 mx kernel: 262014 pages RAM
Sep  7 13:17:46 mx kernel: 0 pages HighMem/MovableOnly
Sep  7 13:17:46 mx kernel: 8261 pages reserved
Sep  7 13:17:46 mx kernel: [ pid ]   uid  tgid total_vm      rss nr_ptes nr_pmds swapents oom_score_adj name
Sep  7 13:17:46 mx kernel: [ 1784]     0  1784    29970      683      30       3        0             0 systemd-journal
Sep  7 13:17:46 mx kernel: [ 1801]     0  1801    10256      134      25       3        0         -1000 systemd-udevd
Sep  7 13:17:46 mx kernel: [ 2699]     0  2699    12795      117      26       3        0         -1000 auditd
Sep  7 13:17:46 mx kernel: [ 2729]     0  2729    82403     4253      81       3        0             0 firewalld
Sep  7 13:17:46 mx kernel: [ 2730]    70  2730     7021       89      19       3        0             0 avahi-daemon
Sep  7 13:17:46 mx kernel: [ 2738]   998  2738     6701       70      18       3        0             0 chronyd
Sep  7 13:17:46 mx kernel: [ 2742]    70  2742     6988       57      17       3        0             0 avahi-daemon
Sep  7 13:17:46 mx kernel: [ 2744]     0  2744    67928      260      36       3        0             0 rsyslogd
Sep  7 13:17:46 mx kernel: [ 2745]     0  2745   137540     2618      86       3        0             0 tuned
Sep  7 13:17:46 mx kernel: [ 2746]    81  2746     6675      142      18       3        0          -900 dbus-daemon
Sep  7 13:17:46 mx kernel: [ 2747]     0  2747     8673       79      23       3        0             0 systemd-logind
Sep  7 13:17:46 mx kernel: [ 2749]     0  2749    31577      155      18       3        0             0 crond
Sep  7 13:17:46 mx kernel: [ 2759]     0  2759    27503       34      10       3        0             0 agetty
Sep  7 13:17:46 mx kernel: [ 2760]     0  2760    27503       31      10       3        0             0 agetty
Sep  7 13:17:46 mx kernel: [ 2806]     0  2806   111656      450      67       4        0             0 NetworkManager
Sep  7 13:17:46 mx kernel: [ 2845]   999  2845   128597      880      51       3        0             0 polkitd
Sep  7 13:17:46 mx kernel: [ 3394]     0  3394    20629      214      44       3        0         -1000 sshd
Sep  7 13:17:46 mx kernel: [ 3395]     0  3395   139460     1838     207       3        0             0 httpd
Sep  7 13:17:46 mx kernel: [ 3438]    27  3438    28838       78      13       3        0             0 mysqld_safe
Sep  7 13:17:46 mx kernel: [ 3557]  2001  3557   219948     5830     258       3        0             0 httpd
Sep  7 13:17:46 mx kernel: [ 3564]    48  3564   140676     2411     208       3        0             0 httpd
Sep  7 13:17:46 mx kernel: [ 3565]    48  3565   140735     2501     209       3        0             0 httpd
Sep  7 13:17:46 mx kernel: [ 3576]     0  3576   205582     2038      76       3        0             0 fail2ban-server
Sep  7 13:17:46 mx kernel: [ 3619]     0  3619    54885     5349      61       4        0             0 linode-longview
Sep  7 13:17:46 mx kernel: [ 3726]    27  3726   311097    20845     110       4        0             0 mysqld
Sep  7 13:17:46 mx kernel: [ 3762]  2002  3762    75577     3216      67       3        0             0 python
Sep  7 13:17:46 mx kernel: [ 3833]     0  3833    23935      271      45       4        0             0 master
Sep  7 13:17:46 mx kernel: [ 3838]    89  3838    24010      275      49       3        0             0 qmgr
Sep  7 13:17:46 mx kernel: [ 3869]  2003  3869    78171     5162      71       4        0             0 cbpolicyd
Sep  7 13:17:46 mx kernel: [ 3870]  2003  3870    78171     5177      71       4        0             0 cbpolicyd
Sep  7 13:17:46 mx kernel: [ 3878]   995  3878    94379    25692     130       3        0             0 /usr/sbin/amavi
Sep  7 13:17:46 mx kernel: [ 3928]   995  3928   118796    31251     146       3        0             0 /usr/sbin/amavi
Sep  7 13:17:46 mx kernel: [ 3929]   995  3929   113278    25781     133       3        0             0 /usr/sbin/amavi
Sep  7 13:17:46 mx kernel: [ 3930]   995  3930   113625    26100     135       3        0             0 /usr/sbin/amavi
Sep  7 13:17:46 mx kernel: [ 3931]   995  3931    94767    25693     128       3        0             0 /usr/sbin/amavi
Sep  7 13:17:46 mx kernel: [ 3933]     0  3933     3907       76      13       3        0             0 dovecot
Sep  7 13:17:46 mx kernel: [ 3939]  2000  3939     3659       40      12       3        0             0 lmtp
Sep  7 13:17:46 mx kernel: [ 3940]    97  3940     2330       37      10       3        0             0 anvil
Sep  7 13:17:46 mx kernel: [ 3941]     0  3941     2362       81      11       3        0             0 log
Sep  7 13:17:46 mx kernel: [ 3943]  2000  3943     3659       40      13       3        0             0 lmtp
Sep  7 13:17:46 mx kernel: [ 3944]  2000  3944     3659       40      11       3        0             0 lmtp
Sep  7 13:17:46 mx kernel: [ 3945]  2000  3945     3659       41      13       4        0             0 lmtp
Sep  7 13:17:46 mx kernel: [ 3946]  2000  3946     3659       41      14       3        0             0 lmtp
Sep  7 13:17:46 mx kernel: [ 3947]     0  3947     4206      333      14       3        0             0 config
Sep  7 13:17:46 mx kernel: [ 3949]     0  3949    34446      309      71       3        0             0 sshd
Sep  7 13:17:46 mx kernel: [ 3951]  2004  3951    34484      316      68       3        0             0 sshd
Sep  7 13:17:46 mx kernel: [ 3952]  2004  3952    28840       74      14       3        0             0 bash
Sep  7 13:17:46 mx kernel: [ 3975]     0  3975    47851      214      51       3        0             0 sudo
Sep  7 13:17:46 mx kernel: [ 3976]     0  3976    45016      132      45       3        0             0 su
Sep  7 13:17:46 mx kernel: [ 3977]     0  3977    28840      104      13       3        0             0 bash
Sep  7 13:17:46 mx kernel: [ 4014]    48  4014   167223     3291     216       3        0             0 httpd
Sep  7 13:17:46 mx kernel: [ 4036]    48  4036   140042     2449     206       3        0             0 httpd
Sep  7 13:17:46 mx kernel: [ 4046]    48  4046   167218     3156     214       3        0             0 httpd
Sep  7 13:17:46 mx kernel: [ 4051]    48  4051   140732     2449     208       3        0             0 httpd
Sep  7 13:17:46 mx kernel: [ 4055]    48  4055   140730     2497     209       3        0             0 httpd
Sep  7 13:17:46 mx kernel: [ 4058]    48  4058   140038     2402     206       3        0             0 httpd
Sep  7 13:17:46 mx kernel: [ 4060]    48  4060   140734     2499     209       3        0             0 httpd
Sep  7 13:17:46 mx kernel: [ 4148]    48  4148   140003     2380     206       3        0             0 httpd
Sep  7 13:17:46 mx kernel: [ 4228]     0  4228    42091      213      38       3        0             0 crond
Sep  7 13:17:46 mx kernel: [ 4229]     0  4229    28281       38      12       3        0             0 freshclam-sleep
Sep  7 13:17:46 mx kernel: [ 4234]     0  4234    26975       18      10       3        0             0 sleep
Sep  7 13:17:46 mx kernel: [ 4794]    89  4794    23965      265      48       3        0             0 tlsmgr
Sep  7 13:17:46 mx kernel: [ 4938]   996  4938    11323      186      25       3        0             0 imap-login
Sep  7 13:17:46 mx kernel: [ 4944]  2000  4944     5942      227      19       3        0             0 imap
Sep  7 13:17:46 mx kernel: [ 4945]   996  4945    11323      185      27       3        0             0 imap-login
Sep  7 13:17:46 mx kernel: [ 4946]  2000  4946     5948      170      16       3        0             0 imap
Sep  7 13:17:46 mx kernel: [ 4949]   996  4949    11323      185      25       3        0             0 imap-login
Sep  7 13:17:46 mx kernel: [ 4950]  2000  4950     5937      206      17       3        0             0 imap
Sep  7 13:17:46 mx kernel: [ 4951]   996  4951    11323      186      28       3        0             0 imap-login
Sep  7 13:17:46 mx kernel: [ 4952]  2000  4952     5875      111      16       3        0             0 imap
Sep  7 13:17:46 mx kernel: [ 5072]    89  5072    23963      263      47       3        0             0 pickup
Sep  7 13:17:46 mx kernel: [ 5087]   995  5087   136326    77517     199       3        0             0 clamd
Sep  7 13:17:46 mx kernel: [ 5120]    89  5120    25174      362      48       3        0             0 smtpd
Sep  7 13:17:46 mx kernel: [ 5121]    89  5121    42517      359      50       3        0             0 proxymap
Sep  7 13:17:46 mx kernel: [ 5122]    89  5122    23960      265      47       4        0             0 anvil
Sep  7 13:17:54 mx kernel: [ 5127]    89  5127    23965      264      49       3        0             0 trivial-rewrite
Sep  7 13:17:54 mx kernel: [ 5134]  2003  5134    78171     5138      71       4        0             0 cbpolicyd
Sep  7 13:17:54 mx kernel: [ 5135]    89  5135    23999      268      48       4        0             0 cleanup
Sep  7 13:17:54 mx kernel: [ 5142]    89  5142    24090      305      50       3        0             0 smtp
Sep  7 13:17:54 mx kernel: [ 5149]    97  5149    43247      265      54       3        0             0 dict
Sep  7 13:17:54 mx kernel: [ 5150]    89  5150    24070      287      48       3        0             0 smtpd
Sep  7 13:17:54 mx kernel: [ 5153]    89  5153    24658      360      50       3        0             0 smtpd
Sep  7 13:17:54 mx kernel: [ 5154]  2003  5154    78171     5138      71       4        0             0 cbpolicyd
Sep  7 13:17:54 mx kernel: [ 5159]     0  5159    23975      267      47       4        0             0 pipe
Sep  7 13:17:54 mx kernel: [ 5164]     0  5164   235757    12311     156       4        0             0 yum
Sep  7 13:17:54 mx kernel: [ 5236]   995  5236    98160    76230     192       3        0             0 clamd
Sep  7 13:17:54 mx kernel: Out of memory: Kill process 5236 (clamd) score 301 or sacrifice child
Sep  7 13:17:54 mx kernel: Killed process 5236 (clamd) total-vm:392640kB, anon-rss:304920kB, file-rss:0kB
Sep  7 13:17:55 mx systemd: clamd@amavisd.service holdoff time over, scheduling restart.
Sep  7 13:17:55 mx systemd: Stopping clamd scanner (amavisd) daemon...
Sep  7 13:17:55 mx systemd: Starting clamd scanner (amavisd) daemon...
Sep  7 13:17:55 mx systemd: Started clamd scanner (amavisd) daemon.

I posted log for 13:17, but this same logging is repeating all the time, messages file is filled with this repeating messages.

I am very new to iRedMail, also mail server maintenance. If more information needed to give any answer to my problem, I'll be happy to add.

Thank you very much, even for reading.

Suat

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Clamd high CPU usage

This is unusual.

*) Did you see many outbound emails in /var/log/maillog?
*) iRedMail requires 2GB RAM for a low-traffic mail server, and you have just 1GB. Please try to update Amavisd/Postfix config file to reduce concurrently processed mails by following this tutorial. As a testing, set it to 1 or 2 first.
http://www.iredmail.org/docs/concurrent.processing.html

3 (edited by smozgur 2015-09-08 01:06:55)

Re: Clamd high CPU usage

Thank you for the reply, Zhang.

1) there are one repeating section in the maillog - many many repeats, almost every 4-8 seconds interval (it doesn't look normal to me but I have no idea what it means):

Sep  6 22:40:20 mx clamd[10478]: clamd daemon 0.98.7 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Sep  6 22:40:20 mx clamd[10478]: Running as user amavis (UID 995, GID 994)
Sep  6 22:40:20 mx clamd[10478]: Log file size limited to 1048576 bytes.
Sep  6 22:40:20 mx clamd[10478]: Reading databases from /var/lib/clamav
Sep  6 22:40:20 mx clamd[10478]: Not loading PUA signatures.
Sep  6 22:40:20 mx clamd[10478]: Bytecode: Security mode set to "TrustSigned".

Wow! no kidding, this 6 lines repeats in every 4-8 seconds.

2- I understand 2GB RAM requirement, however it is not a production server yet. I got a few domains contains a few email addresses to test. It really doesn't make sense that  1GB will be the problem at this moment. However, I will make the change to make the setting =1. It is currently set as 2 and I actually followed the performance tuning document, however setting was recommended as common between 2 and 30, so I thought 1 might be something unusual. Now I will set it to 1 to see. But please see 1 above, that repetitive section really doesn't make sense.

Thank you.

Edit for #1: No, there are not many outbound emails. Only the ones I have been sending during the tests.

4

Re: Clamd high CPU usage

Oh! it is interesting and you might want to know about this.

I followed the installation steps strictly. And I did change nothing in the configuration files manually after installation.

"Process more emails concurrently" document says:

Both values should be identical for two reasons: If Amavisd offers more processes than Postfix will ever use, Amavisd wastes resources. On the other hand, if Postfix starts more dedicated transports than amavisd can handle simultaneously, e-mail transport will be refused and logged as error.

However, my untouched /etc/postfix/master.cf says 4 where my untouched /etc/amavisd/amavisd.conf says 2 for the max_servers.

I just set both to be 1 and I am just sending this note considering/hoping this might be the problem.

5

Re: Clamd high CPU usage

Hello Zhang,

I keep seeing the error logs, about clamav amavis as in my original question. Additionally, I have a VERY big logwatch email today. I will attach it below, please note there is a section with thousands of same line starting with LibClamAV - I separated.

Is it possible see something that will say:
1- My 1GB RAM is definitely not enough and things will be solved by upgrading to 2GB with 2 core (I am on Linode)
2- Anything else pointing the problem about the errors I've been keep getting and can be cured?

There are only 7 virtual domains on the server and it will be likely about 15. There are currently 7 users and it will be likely 40-50 max - absolutely low traffic. Nobody is using the server yet to send & receive emails - as you can see from the logs as well but me to test accounts.

If my 1GB RAM is not enough and if I disable virus and spam scanning, would it heal the memory usage and particular problem? In this case, can viruses do any harm on my server or it is only for client protection?

Sorry for too much questions but I'll be more than happy if you could lead me to the right way.

Thank you in advance for any help!

Suat


################### Logwatch 7.4.0 (03/01/11) #################### 
       Processing Initiated: Sat Sep 12 03:21:04 2015
       Date Range Processed: yesterday
                             ( 2015-Sep-11 )
                             Period is day.
       Detail Level of Output: 0
       Type of Output/Format: mail / text
       Logfiles for Host: **.******.***
################################################################## 

--------------------- Amavisd-new Begin ------------------------ 

       8   *Warning: Virus scanner connection failure 
      13   Miscellaneous warnings  

      17   Total messages scanned ------------------  100.00%
 129.864K  Total bytes scanned                        132,981
========   ==================================================

      17   Passed ----------------------------------  100.00%
       2     Unchecked passed                          11.76%
      15     Clean passed                              88.24%
========   ==================================================

       2   Unchecked -------------------------------   11.76%
       2     Unchecked passed                          11.76%

      15   Ham -------------------------------------   88.24%
      15     Clean passed                              88.24%
========   ==================================================

**Unmatched Entries**
       3   No ext program for   .lz4, tried: lz4c -d
       2   Deleting db files snmp.db,__db.001,nanny.db,__db.002,__db.003 in /var/spool/amavisd/db
       1   Deleting db files nanny.db in /var/spool/amavisd/db

---------------------- Amavisd-new End ------------------------- 


--------------------- Kernel Audit Begin ------------------------ 
**Unmatched Entries** 
 audit: initializing netlink subsys (disabled)
---------------------- Kernel Audit End ------------------------- 

--------------------- Clamav Begin ------------------------ 
Virus database reloaded 4 time(s) (last time with 3994353 viruses)

**Unmatched Entries**
LibClamAV Error: mpool_malloc(): Can't allocate memory (8392704 bytes).
LibClamAV Error: mpool_malloc(): Can't allocate memory (8392704 bytes).
LibClamAV Error: mpool_malloc(): Can't allocate memory (8392704 bytes).
LibClamAV Error: mpool_malloc(): Can't allocate memory (8392704 bytes).
------

THERE ARE THOUSANDS OF LibClamAV LINES ABOVE, THEN THE FOLLOWING

------
LibClamAV Error: mpool_malloc(): Can't allocate memory (8392704 bytes).
Limits: MaxEmbeddedPE limit set to 10485760 bytes.
Limits: MaxHTMLNormalize limit set to 10485760 bytes.
Limits: MaxHTMLNoTags limit set to 2097152 bytes.
Limits: MaxScriptNormalize limit set to 5242880 bytes.
Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Limits: MaxPartitions limit set to 50.
Limits: MaxIconsPE limit set to 100.
Limits: MaxEmbeddedPE limit set to 10485760 bytes.
Limits: MaxHTMLNormalize limit set to 10485760 bytes.
Limits: MaxHTMLNoTags limit set to 2097152 bytes.
Limits: MaxScriptNormalize limit set to 5242880 bytes.
Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Limits: MaxPartitions limit set to 50.
Limits: MaxIconsPE limit set to 100.
---------------------- Clamav End ------------------------- 

--------------------- Cron Begin ------------------------ 
**Unmatched Entries**
INFO (RANDOM_DELAY will be scaled with factor 5% if used.)
---------------------- Cron End ------------------------- 

--------------------- httpd Begin ------------------------ 

Requests with error response codes
   401 Unauthorized
      /awstats/awstats.pl: 3 Time(s)
      /cluebringer/: 2 Time(s)
   403 Forbidden
      /iredadmin/login: 4 Time(s)
   404 Not Found
      /server-status?auto: 288 Time(s)
      /amawis: 2 Time(s)
      /awstatsicons/other/vk.png: 2 Time(s)
      /Diagnostics.asp: 1 Time(s)
      /Ringing.at.your.dorbell!: 1 Time(s)
      /amawisd: 1 Time(s)
      /awstatsicons/browser/chrome.png: 1 Time(s)
      /awstatsicons/browser/firefox.png: 1 Time(s)
      /awstatsicons/browser/netscape.png: 1 Time(s)
      /awstatsicons/browser/safari.png: 1 Time(s)
      /awstatsicons/browser/unknown.png: 1 Time(s)
      /awstatsicons/clock/hr1.png: 1 Time(s)
      /awstatsicons/clock/hr10.png: 1 Time(s)
      /awstatsicons/clock/hr11.png: 1 Time(s)
      /awstatsicons/clock/hr12.png: 1 Time(s)
      /awstatsicons/clock/hr2.png: 1 Time(s)
      /awstatsicons/clock/hr3.png: 1 Time(s)
      /awstatsicons/clock/hr4.png: 1 Time(s)
      /awstatsicons/clock/hr5.png: 1 Time(s)
      /awstatsicons/clock/hr6.png: 1 Time(s)
      /awstatsicons/clock/hr7.png: 1 Time(s)
      /awstatsicons/clock/hr8.png: 1 Time(s)
      /awstatsicons/clock/hr9.png: 1 Time(s)
      /awstatsicons/flags/ip.png: 1 Time(s)
      /awstatsicons/mime/css.png: 1 Time(s)
      /awstatsicons/mime/image.png: 1 Time(s)
      /awstatsicons/mime/php.png: 1 Time(s)
      /awstatsicons/os/ios.png: 1 Time(s)
      /awstatsicons/os/mac.png: 1 Time(s)
      /awstatsicons/os/unknown.png: 1 Time(s)
      /awstatsicons/os/win.png: 1 Time(s)
      /awstatsicons/other/awstats_logo6.png: 1 Time(s)
      /awstatsicons/other/button.gif: 1 Time(s)
      /awstatsicons/other/he.png: 1 Time(s)
      /awstatsicons/other/hh.png: 1 Time(s)
      /awstatsicons/other/hk.png: 1 Time(s)
      /awstatsicons/other/hp.png: 1 Time(s)
      /awstatsicons/other/hx.png: 1 Time(s)
      /awstatsicons/other/page.png: 1 Time(s)
      /awstatsicons/other/vh.png: 1 Time(s)
      /awstatsicons/other/vp.png: 1 Time(s)
      /awstatsicons/other/vu.png: 1 Time(s)
      /awstatsicons/other/vv.png: 1 Time(s)
      /favicon.ico: 1 Time(s)
      /phpMyAdmin: 1 Time(s)
      /rom-0: 1 Time(s)
---------------------- httpd End ------------------------- 

--------------------- Kernel Begin ------------------------ 
WARNING:  Kernel Errors Present
   EXT2-fs (sda): error: couldn't mount  ...:  1 Time(s)
   EXT3-fs (sda): error: couldn't mount  ...:  1 Time(s)
   EXT4-fs (sda): re-mounted. Opts: errors=remount-ro ...:  1 Time(s)
---------------------- Kernel End ------------------------- 

--------------------- pam_unix Begin ------------------------ 
sshd:
   Authentication Failures:
      root (113.195.145.70): 4 Time(s)
      root (113.195.145.80): 4 Time(s)
      root (218.65.30.217): 4 Time(s)
      root (218.65.30.61): 4 Time(s)
      root (221.203.142.68): 4 Time(s)
      root (43.229.53.25): 4 Time(s)
      root (58.218.211.166): 4 Time(s)
      root (203.100.83.32): 3 Time(s)
      root (211.87.224.120): 3 Time(s)
      root (61.139.5.22): 3 Time(s)
      root (80.82.78.164): 3 Time(s)
      root (89.248.172.166): 3 Time(s)
      root (148.34.14.46.dynamic.wline.lns.sme.cust.swisscom.ch): 2 Time(s)
      unknown (148.34.14.46.dynamic.wline.lns.sme.cust.swisscom.ch): 2 Time(s)
      unknown (185.67.204.95): 2 Time(s)
      unknown (190.69.165.210): 2 Time(s)
      unknown (218.26.243.138): 2 Time(s)
      root (121.5.20.120): 1 Time(s)
      root (138.185.86.70): 1 Time(s)
      root (185.67.204.95): 1 Time(s)
      root (189.51.112.82): 1 Time(s)
      root (213.175.139.26): 1 Time(s)
      root (220.113.7.98): 1 Time(s)
      root (60.184.82.152): 1 Time(s)
      root (60.185.97.224): 1 Time(s)
      root (85.174.145.244): 1 Time(s)
      root (host-2-60-23-89.pppoe.omsknet.ru): 1 Time(s)
      root (host-90-188-179-100.pppoe.omsknet.ru): 1 Time(s)
      root (ip-50-63-144-102.ip.secureserver.net): 1 Time(s)
      root (kodi.kodix.com): 1 Time(s)
      unknown (121.5.20.120): 1 Time(s)
      unknown (200.167.29.21): 1 Time(s)
      unknown (220.113.7.98): 1 Time(s)
      unknown (85.174.145.244): 1 Time(s)
      unknown (host-2-60-45-241.pppoe.omsknet.ru): 1 Time(s)
      unknown (ip-50-63-144-102.ip.secureserver.net): 1 Time(s)
      unknown (kodi.kodix.com): 1 Time(s)
   Invalid Users:
      Unknown Account: 15 Time(s)

su:
   Sessions Opened:
      ******** -> root: 2 Time(s)
---------------------- pam_unix End ------------------------- 

--------------------- Postfix Begin ------------------------ 
       3   SASL authentication failed 
      85   Miscellaneous warnings  

 219.809K  Bytes accepted                             225,084
 180.305K  Bytes sent via SMTP                        184,632
  88.181K  Bytes delivered                             90,297
  18.347K  Bytes forwarded                             18,787
========   ==================================================

      30   Accepted                                    71.43%
      12   Rejected                                    28.57%
--------   --------------------------------------------------
      42   Total                                      100.00%
========   ==================================================

       4   5xx Reject HELO/EHLO                        33.33%
       1   5xx Reject unknown user                      8.33%
       7   5xx Reject sender address                   58.33%
--------   --------------------------------------------------
      12   Total 5xx Rejects                          100.00%
========   ==================================================

      22   4xx Reject relay denied                    100.00%
--------   --------------------------------------------------
      22   Total 4xx Rejects                          100.00%
========   ==================================================

     120   Connections             
      14   Connections lost (inbound) 
     120   Disconnections          
      33   Removed from queue      
      12   Delivered               
      22   Sent via SMTP           
       3   Forwarded               

       1   Timeouts (inbound)      
       4   SASL authenticated messages 

       1   Postfix start           
       1   Postfix refresh         
---------------------- Postfix End ------------------------- 

--------------------- Connections (secure-log) Begin ------------------------ 
**Unmatched Entries**
   polkitd: Acquired the name org.freedesktop.PolicyKit1 on the system bus: 1 Time(s)
   polkitd: Finished loading, compiling and executing 2 rules: 1 Time(s)
   polkitd: Loading rules from directory /etc/polkit-1/rules.d: 1 Time(s)
   polkitd: Loading rules from directory /usr/share/polkit-1/rules.d: 1 Time(s)
---------------------- Connections (secure-log) End ------------------------- 

--------------------- SSHD Begin ------------------------ 
SSHD Started: 2 Time(s)

Failed logins from:
   2.60.23.89 (host-2-60-23-89.pppoe.omsknet.ru): 1 time
   43.229.53.25: 4 times
   46.14.34.148 (148.34.14.46.dynamic.wline.lns.sme.cust.swisscom.ch): 2 times
   50.63.144.102 (ip-50-63-144-102.ip.secureserver.net): 1 time
   58.218.211.166: 4 times
   60.184.82.152: 1 time
   60.185.97.224: 1 time
   61.139.5.22: 3 times
   80.82.78.164: 3 times
   85.174.145.244: 1 time
   89.248.172.166 (hosted-by.ecatel.net): 3 times
   90.188.179.100 (host-90-188-179-100.pppoe.omsknet.ru): 1 time
   113.195.145.70 (70.145.195.113.adsl-pool.jx.chinaunicom.com): 4 times
   113.195.145.80 (80.145.195.113.adsl-pool.jx.chinaunicom.com): 4 times
   121.5.20.120: 1 time
   138.185.86.70: 1 time
   173.8.143.50 (kodi.kodix.com): 1 time
   185.67.204.95 (185-67-204-95.layersistem.com): 1 time
   189.51.112.82: 1 time
   203.100.83.32: 3 times
   211.87.224.120: 3 times
   213.175.139.26: 1 time
   218.65.30.61 (61.30.65.218.broad.xy.jx.dynamic.163data.com.cn): 4 times
   218.65.30.217 (217.30.65.218.broad.xy.jx.dynamic.163data.com.cn): 4 times
   220.113.7.98 (undefined.bjgwbn.net.cn): 1 time
   221.203.142.68: 4 times

Illegal users from:
   undef: 5 times
   2.60.45.241 (host-2-60-45-241.pppoe.omsknet.ru): 1 time
   46.14.34.148 (148.34.14.46.dynamic.wline.lns.sme.cust.swisscom.ch): 2 times
   50.63.144.102 (ip-50-63-144-102.ip.secureserver.net): 1 time
   85.174.145.244: 1 time
   121.5.20.120: 1 time
   173.8.143.50 (kodi.kodix.com): 1 time
   185.67.204.95 (185-67-204-95.layersistem.com): 2 times
   190.69.165.210: 2 times
   200.167.29.21: 1 time
   218.26.243.138 (138.243.26.218.internet.sx.cn): 2 times
   220.113.7.98 (undefined.bjgwbn.net.cn): 1 time

Users logging in through sshd:
   ********:********: 2 times

Received disconnect:
   11:  [preauth] : 8 Time(s)
   11: Bye Bye [preauth] : 21 Time(s)
   11: disconnected by user : 1 Time(s)

**Unmatched Entries**
pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" : 58 time(s)
---------------------- SSHD End ------------------------- 

--------------------- Sudo (secure-log) Begin ------------------------ 
********  => root
---------------
/bin/su                        -   2 Time(s).

---------------------- Sudo (secure-log) End ------------------------- 

--------------------- yum Begin ------------------------ 
Packages Updated:
   phpMyAdmin-4.4.14.1-1.el7.noarch
---------------------- yum End ------------------------- 


--------------------- Disk Space Begin ------------------------ 
Filesystem      Size  Used Avail Use% Mounted on
/dev/root        24G  2.7G   21G  12% /
devtmpfs        494M     0  494M   0% /dev
---------------------- Disk Space End ------------------------- 


###################### Logwatch End #########################

6

Re: Clamd high CPU usage

There's no unusual error except clamav complains "Can't allocate memory". I believe upgrading to 2GB RAM will fix this issue and your server will run smoothly.

7

Re: Clamd high CPU usage

Thank you, Zhang!

This was all I wanted to make sure before memory upgrade. If it is going to let me have a smoothly working server, as you said, then I'll do it.

Thanks for your help.

Suat

8

Re: Clamd high CPU usage

Hi,

I have now 2GB RAM and things look to be working really nice. 50%-60% RAM usage.

I have 3 final questions.

1- I have 256MB Swap size. Is this OK or should increase it?
2- Server looks to be working fine so far. But how can I understand if it fails? iRedMail sends me any alert about this?
3- Some users started to get SPAM emails when I switch their MX records. Is there a specific source for tuning that I can follow to make my iRedMail mail server less spammy?

Thank you for all your help!

9

Re: Clamd high CPU usage

smozgur wrote:

1- I have 256MB Swap size. Is this OK or should increase it?

It's suggested to create the swap as large as your RAM, but if your server doesn't use swap at all, then it's not that important.

smozgur wrote:

2- Server looks to be working fine so far. But how can I understand if it fails? iRedMail sends me any alert about this?

You need to check log files to figure it out.

smozgur wrote:

3- Some users started to get SPAM emails when I switch their MX records. Is there a specific source for tuning that I can follow to make my iRedMail mail server less spammy?

Try postscreen or DNSBL service first:
http://www.iredmail.org/docs/enable.postscreen.html

10

Re: Clamd high CPU usage

Thank you for the answers!

Thanks for iRedMail!