GNUPanel – Como correr amavis en otro servidor

 avanzado, debian, documentacion, gnupanel, linux, ubuntu  Add comments
May 292013
 

Agradecemos a GNUtransfer el habernos cedido dos VPSs y otros recursos para escribir este articulo.

En algunos servidores donde esta instalado GNUPanel el trafico de correo es muy alto y eso hace que amavis comience a consumir muchos recursos, lo cual produce una baja en la calidad de servicio de apache, pdns, proftpd, etc.
En este articulo veremos como hacer para correr amavis, clamav y spamassassin en un servidor separado.
Antes de empezar debemos aclarar que aunque no sea obligatorio, lo mas conveniente es que las IPs por las que se comunican postfix (en el servidor principal) y amavis (en el servidor antispam) es que sean privadas, ya sea por medio de una red separada o como lo hemos realizado para el ejemplo por medio de una VPN, para lo cual utilizamos openvpn con el siguiente howto.

En nuestro ejemplo tenemos dos servidores, uno donde esta gnupanel instalado al que llamaremos gnupanel y otro donde trasladaremos amavis al que llamaremos amavis con los siguientes datos.

Servidor gnupanel
IP: 69.61.93.19
IP Privada: 192.168.200.1
DOMINIO Principal: tester-gnupanel.com.ar
Servidor amavis
IP: 69.61.93.13
IP Privada: 192.168.200.4

Primero en el servidor amavis instalaremos los siguientes paquetes, amavisd-new spamassassin clamav clamav-daemon unrar-free ca-certificates arj zip unzip unar zoo nomarch lzop cabextract libauthen-sasl-perl dspam p7zip unrar-free lhasa pax pax-utils pyzor razor unrar-free

root@vps442025:/# apt-get install amavisd-new spamassassin clamav clamav-daemon unrar-free ca-certificates arj zip unzip unar zoo nomarch lzop cabextract libauthen-sasl-perl dspam p7zip unrar-free lhasa pax pax-utils pyzor razor unrar-free
Reading package lists... Done
Building dependency tree       
Reading state information... Done
ca-certificates is already the newest version.
ca-certificates set to manually installed.
unzip is already the newest version.
unzip set to manually installed.
The following extra packages will be installed:
  altermime clamav-base clamav-freshclam dbus dspam-doc gcc gcc-4.7 gnustep-base-common gnustep-base-runtime gnustep-common libarchive-zip-perl libavahi-client3 libavahi-common-data libavahi-common3 libberkeleydb-perl libc-dev-bin
  libc6-dev libclamav6 libconvert-binhex-perl libconvert-tnef-perl libconvert-uulib-perl libcrypt-openssl-bignum-perl libcrypt-openssl-rsa-perl libdbus-1-3 libdigest-hmac-perl libdspam7 libdspam7-drv-hash libencode-locale-perl
  liberror-perl libfile-listing-perl libfont-afm-perl libgnustep-base1.22 libgomp1 libhtml-form-perl libhtml-format-perl libhtml-parser-perl libhtml-tagset-perl libhtml-tree-perl libhttp-cookies-perl libhttp-daemon-perl
  libhttp-date-perl libhttp-message-perl libhttp-negotiate-perl libicu48 libio-multiplex-perl libio-socket-inet6-perl libio-socket-ssl-perl libio-stringy-perl libitm1 liblhasa0 libltdl7 liblwp-mediatypes-perl liblwp-protocol-https-perl
  libmail-dkim-perl libmail-spf-perl libmailtools-perl libmime-tools-perl libnet-cidr-perl libnet-dns-perl libnet-http-perl libnet-ip-perl libnet-server-perl libnet-ssleay-perl libnetaddr-ip-perl libobjc4 libpq5 libquadmath0
  libsocket6-perl libsys-hostname-long-perl libsystemd-login0 libtimedate-perl libtommath0 libunix-syslog-perl liburi-perl libwavpack1 libwww-perl libwww-robotrules-perl libxslt1.1 linux-libc-dev manpages-dev python-gdbm re2c ripole
  spamc
Suggested packages:
  lha unrar libnet-ldap-perl libdbi-perl rpm libsnmp-perl clamav-docs daemon dbus-x11 dspam-webfrontend gcc-multilib autoconf automake1.9 libtool flex bison gdb gcc-doc gcc-4.7-multilib libmudflap0-4.7-dev gcc-4.7-doc gcc-4.7-locales
  libgcc1-dbg libgomp1-dbg libitm1-dbg libquadmath0-dbg libmudflap0-dbg libcloog-ppl0 libppl-c2 libppl7 binutils-gold gnustep-base-doc libgssapi-perl glibc-doc libclamunrar6 libdspam7-drv libdata-dump-perl libcrypt-ssleay-perl
  liblog-log4perl-perl libauthen-ntlm-perl p7zip-full paxctl python-gdbm-dbg libnet-ident-perl pike7.8 pike7.6 pike
Recommended packages:
  libnet-patricial-perl
The following NEW packages will be installed:
  altermime amavisd-new arj cabextract clamav clamav-base clamav-daemon clamav-freshclam dbus dspam dspam-doc gcc gcc-4.7 gnustep-base-common gnustep-base-runtime gnustep-common lhasa libarchive-zip-perl libauthen-sasl-perl
  libavahi-client3 libavahi-common-data libavahi-common3 libberkeleydb-perl libc-dev-bin libc6-dev libclamav6 libconvert-binhex-perl libconvert-tnef-perl libconvert-uulib-perl libcrypt-openssl-bignum-perl libcrypt-openssl-rsa-perl
  libdbus-1-3 libdigest-hmac-perl libdspam7 libdspam7-drv-hash libencode-locale-perl liberror-perl libfile-listing-perl libfont-afm-perl libgnustep-base1.22 libgomp1 libhtml-form-perl libhtml-format-perl libhtml-parser-perl
  libhtml-tagset-perl libhtml-tree-perl libhttp-cookies-perl libhttp-daemon-perl libhttp-date-perl libhttp-message-perl libhttp-negotiate-perl libicu48 libio-multiplex-perl libio-socket-inet6-perl libio-socket-ssl-perl
  libio-stringy-perl libitm1 liblhasa0 libltdl7 liblwp-mediatypes-perl liblwp-protocol-https-perl libmail-dkim-perl libmail-spf-perl libmailtools-perl libmime-tools-perl libnet-cidr-perl libnet-dns-perl libnet-http-perl libnet-ip-perl
  libnet-server-perl libnet-ssleay-perl libnetaddr-ip-perl libobjc4 libpq5 libquadmath0 libsocket6-perl libsys-hostname-long-perl libsystemd-login0 libtimedate-perl libtommath0 libunix-syslog-perl liburi-perl libwavpack1 libwww-perl
  libwww-robotrules-perl libxslt1.1 linux-libc-dev lzop manpages-dev nomarch p7zip pax pax-utils python-gdbm pyzor razor re2c ripole spamassassin spamc unar unrar-free zip zoo
0 upgraded, 104 newly installed, 0 to remove and 0 not upgraded.
Need to get 38,2 MB of archives.
After this operation, 109 MB of additional disk space will be used.
Do you want to continue [Y/n]?

En el servidor amavis agregamos el usuario amavis al grupo clamav y el usuario clamav al grupo amavis

root@vps442025:/# adduser amavis clamav
Adding user `amavis' to group `clamav' ...
Adding user amavis to group clamav
Done.
root@vps442025:/# adduser clamav amavis
Adding user `clamav' to group `amavis' ...
Adding user clamav to group amavis
Done.
root@vps442025:/#

Luego copiamos los siguientes archivos desde el servidor gnupanel al servidor amavis

/etc/amavis/WHITELIST.lst
/etc/amavis/REDES.lst
/etc/amavis/redes.lst
/etc/amavis/LOCALDOMAINS.lst
/etc/amavis/whitelist.lst
/etc/amavis/blacklist.lst
/etc/amavis/localdomains.lst
/etc/amavis/spamlovers.lst
/etc/amavis/conf.d/50-user
/etc/spamassassin/local.cf
/etc/clamav/freshclam.conf
/etc/clamav/clamd.conf

Luego editamos el archivo /etc/amavis/conf.d/50-user agregando y/o modificando las siguientes variables

$inet_socket_bind = '192.168.200.4';
$forward_method = 'smtp:[192.168.200.1]:10025';
$notify_method  = $forward_method;
$myhostname = "tester-gnupanel.com.ar";

$max_servers = 9;

También editamos el archivo /etc/amavis/REDES.lst en el agregamos todas las IPs del servidor gnupanel en nuestro ejemplo seria

root@vps442025:/# cat /etc/amavis/REDES.lst 
192.168.200.1
69.61.93.19
root@vps442025:/#

Luego editan el archivo /etc/mailname y le agregan el dominio principal de gnupanel

root@vps442025:/# cat /etc/mailname              
tester-gnupanel.com.ar
root@vps442025:/#

En el servidor gnupanel editan el archivo /etc/postfix/main.cf y reemplazan la variable content_filter de modo que quede asi

content_filter = smtp-amavis:[192.168.252.4]:10024

y luego editan /etc/postfix/master.cf y modifican la linea que comienza con «127.0.0.1:10025» de modo que quede asi

192.168.200.1:10025 inet n  -       n       -       -  smtpd

Y mas abajo modifican la linea

    -o mynetworks=127.0.0.0/8

Por esto

    -o mynetworks=192.168.200.0/24

luego en el servidor gnupanel crean un script en /usr/local/bin llamado por ejemplo get-gnupanel-domains.sh con el siguiente contenido

#!/bin/bash

ECHO=/bin/echo
CAT=/bin/cat
GREP=/bin/grep
MAWK=/usr/bin/mawk
PSQL=/usr/bin/psql
MKTEMP=/bin/mktemp
RM=/bin/rm

INSTALL_DATA=/etc/gnupanel/GNUPANEL_INSTALL_DATA
PG_USER=postfix
PG_PASS=`${CAT} ${INSTALL_DATA} | ${GREP} POSTFIX_PG | ${MAWK} -F ":" '{print $2;}'`
PGPASSFILE=`${MKTEMP}`

${ECHO} "localhost:5432:gnupanel:postfix:${PG_PASS}" > ${PGPASSFILE}

SQL="SELECT DISTINCT dominio FROM gnupanel_postfix_mailuser ORDER BY dominio;"

export PGPASSFILE

${PSQL} -U ${PG_USER} -h localhost -w -d gnupanel -t -q -c "${SQL}" | ${MAWK} '{print $1;}' | ${GREP} [-a-zA-Z0-9_.]

${RM} -f ${PGPASSFILE}

Le dan permisos de ejecución para el usuario sdns

root@vps415960:/# chown root:sdns /usr/local/bin/get-gnupanel-domains.sh 
root@vps415960:/# chmod 0554 /usr/local/bin/get-gnupanel-domains.sh 
root@vps415960:/#

Creamos el directorio /home/sdns/.ssh y el archivo /home/sdns/.ssh/authorized_keys nos aseguramos que el dueño sea el usuario sdns

mkdir -p /home/sdns/.ssh
>> /home/sdns/.ssh/authorized_keys
chown -R sdns:sdns /home/sdns

Luego en el servidor amavis creamos un juego de llaves ssh, como root ejecutamos el siguiente comando

NOTA: no le asignamos ninguna passphrase presionamos enter cuando nos la pregunte

root@vps442025:/# ssh-keygen -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
fe:fc:8c:88:0a:ec:6c:21:e7:2a:8e:c3:3c:52:6d:af root@vps442025
The key's randomart image is:
+--[ RSA 4096]----+
|                 |
|                 |
|                 |
|                 |
|   .    S        |
|..+ o  .         |
|o=oo .  .        |
|=*o.  .. + o     |
|*=+ Eo. . +.o    |
+-----------------+
root@vps442025:/#

Luego copiamos el contenido del archivo /root/.ssh/id_rsa.pub que esta en el servidor amavis en el archivo /home/sdns/.ssh/authorized_keys que esta en el servidor gnupanel

Prueban que se puedan conectar como root en el servidor amavis ejecutan ssh sdns@192.168.200.1 (cambiar la IP por la de su servidor gnupanel)

NOTA: Les pedira que confirmen el fingerprint

root@vps442025:/# ssh sdns@192.168.200.1
The authenticity of host '192.168.200.1 (192.168.200.1)' can't be established.
ECDSA key fingerprint is 3d:7d:5b:83:94:96:0e:d9:cb:8e:c8:af:02:db:bc:81.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.200.1' (ECDSA) to the list of known hosts.
Linux vps415960 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
$ 
$ 
$ exit
logout
Connection to 192.168.200.1 closed.
root@vps442025:/#

Y luego en el servidor amavis crean el archivo /usr/local/bin/genera-amavis-lst.sh con el siguiente contenido

root@vps442025:/# cat /usr/local/bin/genera-amavis-lst.sh 
#!/bin/bash

cd /

WHITELIST_IN=/etc/amavis/WHITELIST.lst
WHITELIST_OUT=/etc/amavis/whitelist.lst
LOCALDOMAINS_IN=/etc/amavis/LOCALDOMAINS.lst
LOCALDOMAINS_OUT=/etc/amavis/localdomains.lst

REDES_IN=/etc/amavis/REDES.lst
REDES_OUT=/etc/amavis/redes.lst

IP_GNUPANEL=192.168.200.1

DOMINIOS=`/usr/bin/ssh sdns@${IP_GNUPANEL} /usr/local/bin/get-gnupanel-domains.sh`

/bin/echo -n "" > ${LOCALDOMAINS_OUT}
/bin/echo -n "" > ${WHITELIST_OUT}

for dominio in ${DOMINIOS}
do
    #/bin/echo ${dominio} >> ${WHITELIST_OUT}
    /bin/echo ${dominio} >> ${LOCALDOMAINS_OUT}
done

/bin/cat ${WHITELIST_IN} >> ${WHITELIST_OUT}
/bin/cat ${LOCALDOMAINS_IN} >> ${LOCALDOMAINS_OUT}

REDES=`/sbin/ifconfig | /bin/grep inet | /bin/grep -v inet6 | /usr/bin/mawk '{print $2;}' | /usr/bin/mawk -F ":" '{print $2;}' | /usr/bin/sort -u`

/bin/echo -n "" > ${REDES_OUT}

/bin/cat ${REDES_IN} >> ${REDES_OUT}

for red_in in ${REDES}
do
    /bin/echo ${red_in} >> ${REDES_OUT}
done

/etc/init.d/amavis restart

Modifican la linea con la IP que corresponda a su servidor gnupanel

IP_GNUPANEL=192.168.200.1

Ahora en el servidor gnupanel editan /etc/cron.d/gnupanel-stats comentando la linea que ejecuta /usr/local/gnupanel/genera-amavis-lst.sh de modo que quede asi

root@vps415960:/# cat /etc/cron.d/gnupanel-stats 
#
#  GNUPanel generador de estadisticas
#
# m h dom mon dow user  command
##0 3	* * *	root	/usr/local/gnupanel/calcula-deudas.pl 1>/dev/null 2>/dev/null
0 4	* * *	root	/usr/local/gnupanel/genera-estadisticas.pl 1>/dev/null 2>/dev/null
0 0	1 * *	root	/usr/local/gnupanel/reset-transfer.pl 1>/dev/null 2>/dev/null
0 */3	* * *	root	/usr/local/gnupanel/genera-postfix-secundario.pl 1>/dev/null 2>/dev/null
#0 */3	* * *	root	/usr/local/gnupanel/genera-amavis-lst.sh 1>/dev/null 2>/dev/null
0 5	* * *	root	/usr/local/gnupanel/genera-backup.pl 1>/dev/null 2>/dev/null
0 2	* * *	root	/usr/local/gnupanel/controla-planes.pl 1>/dev/null 2>/dev/null
30 0	1 * *	root	/usr/local/gnupanel/gnupanel-garbage-colector.pl 1>/dev/null 2>/dev/null
0 */1	* * *	root	/usr/local/gnupanel/hay-tickets-pend.pl 1>/dev/null 2>/dev/null
50 */3	* * *	root	/usr/local/gnupanel/mide-trafico-total-cron.pl 1>/dev/null 2>/dev/null
0 4	* * *	root	/usr/local/gnupanel/limpiar-spam.sh 1>/dev/null 2>/dev/null
0 */1	* * *	root	/usr/local/gnupanel/trafico_correo.sh 1>/dev/null
##0 */1   * * *   root    /usr/local/gnupanel/pdns_notify.sh 1>/dev/null

Y luego proceden a desinstalar y purgar los siguientes paquetes amavisd-new spamassassin clamav clamav-daemon, tambien conviene hacer un autoremove

root@vps415960:/# apt-get remove amavisd-new spamassassin clamav clamav-daemon
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  altermime libarchive-zip-perl libberkeleydb-perl libconvert-binhex-perl libconvert-tnef-perl libconvert-uulib-perl libio-multiplex-perl libio-stringy-perl libmime-tools-perl libnet-cidr-perl libnet-server-perl libunix-syslog-perl
  ripole
Use 'apt-get autoremove' to remove them.
The following packages will be REMOVED:
  amavisd-new clamav clamav-daemon spamassassin
0 upgraded, 0 newly installed, 4 to remove and 0 not upgraded.
After this operation, 7.249 kB disk space will be freed.
Do you want to continue [Y/n]? 
(Reading database ... 49529 files and directories currently installed.)
Removing amavisd-new ...
Stopping amavisd: amavisd-new.
Removing clamav ...
Removing clamav-daemon ...
[ ok ] Stopping ClamAV daemon: clamd Waiting .  . .
Removing spamassassin ...
SpamAssassin Mail Filter Daemon: disabled, see /etc/default/spamassassin
Processing triggers for man-db ...
root@vps415960:/# 
root@vps415960:/# dpkg -P amavisd-new spamassassin clamav clamav-daemon
(Reading database ... 49110 files and directories currently installed.)
Removing amavisd-new ...
Purging configuration files for amavisd-new ...
Removing user `amavis' ...
userdel: group amavis not removed because it has other members.
Done.
Removing group `amavis' ...
Done.
Removing amavis files and directories...
Removing spamassassin ...
Purging configuration files for spamassassin ...
dpkg: warning: ignoring request to remove clamav which isn't installed
Removing clamav-daemon ...
Purging configuration files for clamav-daemon ...
root@vps415960:/# apt-get autoremove
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be REMOVED:
  altermime clamav-base clamav-freshclam libarchive-zip-perl libberkeleydb-perl libclamav6 libconvert-binhex-perl libconvert-tnef-perl libconvert-uulib-perl libcrypt-openssl-bignum-perl libcrypt-openssl-rsa-perl liberror-perl
  libio-multiplex-perl libio-stringy-perl libmail-dkim-perl libmail-spf-perl libmime-tools-perl libnet-cidr-perl libnet-server-perl libnetaddr-ip-perl libsys-hostname-long-perl libtommath0 libunix-syslog-perl ripole spamc
0 upgraded, 0 newly installed, 25 to remove and 0 not upgraded.
After this operation, 16,7 MB disk space will be freed.
Do you want to continue [Y/n]? 
(Reading database ... 49067 files and directories currently installed.)
Removing altermime ...
Removing clamav-freshclam ...
[ ok ] Stopping ClamAV virus database updater: freshclam.
Removing clamav-base ...
Removing libarchive-zip-perl ...
Removing libberkeleydb-perl ...
Removing libclamav6 ...
Removing libconvert-tnef-perl ...
Removing libmime-tools-perl ...
Removing libconvert-binhex-perl ...
Removing libconvert-uulib-perl ...
Removing libmail-dkim-perl ...
Removing libcrypt-openssl-rsa-perl ...
Removing libcrypt-openssl-bignum-perl ...
Removing libmail-spf-perl ...
Removing liberror-perl ...
Removing libnet-server-perl ...
Removing libio-multiplex-perl ...
Removing libio-stringy-perl ...
Removing libnet-cidr-perl ...
Removing libnetaddr-ip-perl ...
Removing libsys-hostname-long-perl ...
Removing libtommath0 ...
Removing libunix-syslog-perl ...
Removing ripole ...
Removing spamc ...
Processing triggers for man-db ...
root@vps415960:/#

Luego en el servidor amavis crean el siguiente archivo /etc/cron.d/amvs con el siguiente contenido

0 */3	* * *	root	/usr/local/gnupanel/get-gnupanel-domains.sh 1>/dev/null

En el caso que utilicen openvpn para la comunicación entre postfix y amavis, en el servidor amavis crean el archivo /etc/insserv/overrides/amavis con el siguiente contenido

#! /bin/sh
### BEGIN INIT INFO
# Provides:          amavisd-new
# Required-Start:    $syslog $network $local_fs $remote_fs
# Required-Stop:     $syslog $network $local_fs $remote_fs
# Should-Start:      openvpn
# Should-Stop:       openvpn
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Starts amavisd-new mailfilter
# Description:       Launches the amavisd-new mailfilter
### END INIT INFO

Y luego ejecutan el comando insserv

root@vps442025:/# insserv 
root@vps442025:/#

Por ultimo reinician el servidor amavis y en el servidor gnupanel restartean postfix y cron

Listo solo resta probar que todo funcione correctamente

Ricardo Marcelo Alvarez

About Ricardo Marcelo Alvarez

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.