May 292013
 

Thank GNUtransfer the loan us a VPS and other resources to write this article.

On some servers where it is installed GNUPanel mail traffic is very high and that makes amavis consume many resources, which results in a decline in the quality of service apache, pdns, proftpd, etc.
In this article we will see how to do to run amavis, clamav and spamassassin on a separate server.
Before we start we should clarify that while not mandatory, the most convenient is that the IPs that communicate by postfix (on the main server) and amavis (antispam server) is to be private, either through a separate network or as we have done for example through a VPN, for which we use openvpn with the following howto.

In our example we have two servers, one where this gnupanel installed we’ll call gnupanel and one which will move amavis which we call amavis.

Server gnupanel
IP: 69.61.93.19
IP Private: 192.168.200.1
Main Domain: tester-gnupanel.com.ar
Server amavis
IP: 69.61.93.13
IP Private: 192.168.200.4

First in the amavis server install the following packages, amavisd-new spamassassin clamav clamav-daemon unrar-free ca-certificates arj zip unzip unar zoo nomarch lzop cabextract libauthen-sasl-perl dspam p7zip unrar-free lhasa pax pax-utils pyzor razor unrar-free

root@vps442025:/# apt-get install amavisd-new spamassassin clamav clamav-daemon unrar-free ca-certificates arj zip unzip unar zoo nomarch lzop cabextract libauthen-sasl-perl dspam p7zip unrar-free lhasa pax pax-utils pyzor razor unrar-free
Reading package lists... Done
Building dependency tree       
Reading state information... Done
ca-certificates is already the newest version.
ca-certificates set to manually installed.
unzip is already the newest version.
unzip set to manually installed.
The following extra packages will be installed:
  altermime clamav-base clamav-freshclam dbus dspam-doc gcc gcc-4.7 gnustep-base-common gnustep-base-runtime gnustep-common libarchive-zip-perl libavahi-client3 libavahi-common-data libavahi-common3 libberkeleydb-perl libc-dev-bin
  libc6-dev libclamav6 libconvert-binhex-perl libconvert-tnef-perl libconvert-uulib-perl libcrypt-openssl-bignum-perl libcrypt-openssl-rsa-perl libdbus-1-3 libdigest-hmac-perl libdspam7 libdspam7-drv-hash libencode-locale-perl
  liberror-perl libfile-listing-perl libfont-afm-perl libgnustep-base1.22 libgomp1 libhtml-form-perl libhtml-format-perl libhtml-parser-perl libhtml-tagset-perl libhtml-tree-perl libhttp-cookies-perl libhttp-daemon-perl
  libhttp-date-perl libhttp-message-perl libhttp-negotiate-perl libicu48 libio-multiplex-perl libio-socket-inet6-perl libio-socket-ssl-perl libio-stringy-perl libitm1 liblhasa0 libltdl7 liblwp-mediatypes-perl liblwp-protocol-https-perl
  libmail-dkim-perl libmail-spf-perl libmailtools-perl libmime-tools-perl libnet-cidr-perl libnet-dns-perl libnet-http-perl libnet-ip-perl libnet-server-perl libnet-ssleay-perl libnetaddr-ip-perl libobjc4 libpq5 libquadmath0
  libsocket6-perl libsys-hostname-long-perl libsystemd-login0 libtimedate-perl libtommath0 libunix-syslog-perl liburi-perl libwavpack1 libwww-perl libwww-robotrules-perl libxslt1.1 linux-libc-dev manpages-dev python-gdbm re2c ripole
  spamc
Suggested packages:
  lha unrar libnet-ldap-perl libdbi-perl rpm libsnmp-perl clamav-docs daemon dbus-x11 dspam-webfrontend gcc-multilib autoconf automake1.9 libtool flex bison gdb gcc-doc gcc-4.7-multilib libmudflap0-4.7-dev gcc-4.7-doc gcc-4.7-locales
  libgcc1-dbg libgomp1-dbg libitm1-dbg libquadmath0-dbg libmudflap0-dbg libcloog-ppl0 libppl-c2 libppl7 binutils-gold gnustep-base-doc libgssapi-perl glibc-doc libclamunrar6 libdspam7-drv libdata-dump-perl libcrypt-ssleay-perl
  liblog-log4perl-perl libauthen-ntlm-perl p7zip-full paxctl python-gdbm-dbg libnet-ident-perl pike7.8 pike7.6 pike
Recommended packages:
  libnet-patricial-perl
The following NEW packages will be installed:
  altermime amavisd-new arj cabextract clamav clamav-base clamav-daemon clamav-freshclam dbus dspam dspam-doc gcc gcc-4.7 gnustep-base-common gnustep-base-runtime gnustep-common lhasa libarchive-zip-perl libauthen-sasl-perl
  libavahi-client3 libavahi-common-data libavahi-common3 libberkeleydb-perl libc-dev-bin libc6-dev libclamav6 libconvert-binhex-perl libconvert-tnef-perl libconvert-uulib-perl libcrypt-openssl-bignum-perl libcrypt-openssl-rsa-perl
  libdbus-1-3 libdigest-hmac-perl libdspam7 libdspam7-drv-hash libencode-locale-perl liberror-perl libfile-listing-perl libfont-afm-perl libgnustep-base1.22 libgomp1 libhtml-form-perl libhtml-format-perl libhtml-parser-perl
  libhtml-tagset-perl libhtml-tree-perl libhttp-cookies-perl libhttp-daemon-perl libhttp-date-perl libhttp-message-perl libhttp-negotiate-perl libicu48 libio-multiplex-perl libio-socket-inet6-perl libio-socket-ssl-perl
  libio-stringy-perl libitm1 liblhasa0 libltdl7 liblwp-mediatypes-perl liblwp-protocol-https-perl libmail-dkim-perl libmail-spf-perl libmailtools-perl libmime-tools-perl libnet-cidr-perl libnet-dns-perl libnet-http-perl libnet-ip-perl
  libnet-server-perl libnet-ssleay-perl libnetaddr-ip-perl libobjc4 libpq5 libquadmath0 libsocket6-perl libsys-hostname-long-perl libsystemd-login0 libtimedate-perl libtommath0 libunix-syslog-perl liburi-perl libwavpack1 libwww-perl
  libwww-robotrules-perl libxslt1.1 linux-libc-dev lzop manpages-dev nomarch p7zip pax pax-utils python-gdbm pyzor razor re2c ripole spamassassin spamc unar unrar-free zip zoo
0 upgraded, 104 newly installed, 0 to remove and 0 not upgraded.
Need to get 38,2 MB of archives.
After this operation, 109 MB of additional disk space will be used.
Do you want to continue [Y/n]? 

On the server amavis add user amavis to group clamav and clamav user to the amavis group

root@vps442025:/# adduser amavis clamav
Adding user `amavis' to group `clamav' ...
Adding user amavis to group clamav
Done.
root@vps442025:/# adduser clamav amavis
Adding user `clamav' to group `amavis' ...
Adding user clamav to group amavis
Done.
root@vps442025:/# 

Then copy the following files from the gnupanel server to the amavis server.

/etc/amavis/WHITELIST.lst
/etc/amavis/REDES.lst
/etc/amavis/redes.lst
/etc/amavis/LOCALDOMAINS.lst
/etc/amavis/whitelist.lst
/etc/amavis/blacklist.lst
/etc/amavis/localdomains.lst
/etc/amavis/spamlovers.lst
/etc/amavis/conf.d/50-user
/etc/spamassassin/local.cf
/etc/clamav/freshclam.conf
/etc/clamav/clamd.conf

Then edit the file /etc/amavis/conf.d/50-user adding and/or modifying the following variables

$inet_socket_bind = '192.168.200.4';
$forward_method = 'smtp:[192.168.200.1]:10025';
$notify_method  = $forward_method;
$myhostname = "tester-gnupanel.com.ar";

$max_servers = 9;

Also edit the file /etc/amavis/REDES.lst in the add all gnupanel server IPs in our example would

root@vps442025:/# cat /etc/amavis/REDES.lst 
192.168.200.1
69.61.93.19
root@vps442025:/# 

Then edit the file /etc/mailname and add the main domain of gnupanel

root@vps442025:/# cat /etc/mailname              
tester-gnupanel.com.ar
root@vps442025:/# 

On the gnupanel server edit the file /etc/postfix/main.cf and replace the variable content_filter so that it is well

content_filter = smtp-amavis:[192.168.252.4]:10024

and then edit /etc/postfix/master.cf and change the line that starts with «127.0.0.1:10025» so that it is well

192.168.200.1:10025 inet n  -       n       -       -  smtpd

And change the line below

    -o mynetworks=127.0.0.0/8

for this

    -o mynetworks=192.168.200.0/24

then on gnupanel server create a script in /usr/local/bin called get-gnupanel-domains.sh with the following content

#!/bin/bash

ECHO=/bin/echo
CAT=/bin/cat
GREP=/bin/grep
MAWK=/usr/bin/mawk
PSQL=/usr/bin/psql
MKTEMP=/bin/mktemp
RM=/bin/rm

INSTALL_DATA=/etc/gnupanel/GNUPANEL_INSTALL_DATA
PG_USER=postfix
PG_PASS=`${CAT} ${INSTALL_DATA} | ${GREP} POSTFIX_PG | ${MAWK} -F ":" '{print $2;}'`
PGPASSFILE=`${MKTEMP}`

${ECHO} "localhost:5432:gnupanel:postfix:${PG_PASS}" > ${PGPASSFILE}

SQL="SELECT DISTINCT dominio FROM gnupanel_postfix_mailuser ORDER BY dominio;"

export PGPASSFILE

${PSQL} -U ${PG_USER} -h localhost -w -d gnupanel -t -q -c "${SQL}" | ${MAWK} '{print $1;}' | ${GREP} [-a-zA-Z0-9_.]

${RM} -f ${PGPASSFILE}

hey give execute permissions for the user sdns

root@vps415960:/# chown root:sdns /usr/local/bin/get-gnupanel-domains.sh 
root@vps415960:/# chmod 0554 /usr/local/bin/get-gnupanel-domains.sh 
root@vps415960:/# 

Create the directory /home/sdns/.ssh and the file /home/sdns/.ssh/authorized_keys we ensure that the owner is the user sdns

mkdir -p /home/sdns/.ssh
>> /home/sdns/.ssh/authorized_keys
chown -R sdns:sdns /home/sdns

Then on the server amavis create a set of keys ssh as root run the following command

NOTE: Do not assign any passphrase press enter when prompted us

root@vps442025:/# ssh-keygen -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
fe:fc:8c:88:0a:ec:6c:21:e7:2a:8e:c3:3c:52:6d:af root@vps442025
The key's randomart image is:
+--[ RSA 4096]----+
|                 |
|                 |
|                 |
|                 |
|   .    S        |
|..+ o  .         |
|o=oo .  .        |
|=*o.  .. + o     |
|*=+ Eo. . +.o    |
+-----------------+
root@vps442025:/# 

Then copy the contents of the /root/.ssh/id_rsa.pub from the amavis server in /home/sdns/.ssh/authorized_keys on the gnupanel server

They prove that they can connect to the gnupanel server, in the amavis server running as root ssh sdns@192.168.200.1 (change the IP for your server gnupanel)

NOTE: We ask you to confirm the fingerprint

root@vps442025:/# ssh sdns@192.168.200.1
The authenticity of host '192.168.200.1 (192.168.200.1)' can't be established.
ECDSA key fingerprint is 3d:7d:5b:83:94:96:0e:d9:cb:8e:c8:af:02:db:bc:81.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.200.1' (ECDSA) to the list of known hosts.
Linux vps415960 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
$ 
$ 
$ exit
logout
Connection to 192.168.200.1 closed.
root@vps442025:/# 

And then on the amavis server create the file /usr/local/bin/genera-amavis-lst.sh with the following content

root@vps442025:/# cat /usr/local/bin/genera-amavis-lst.sh 
#!/bin/bash

cd /

WHITELIST_IN=/etc/amavis/WHITELIST.lst
WHITELIST_OUT=/etc/amavis/whitelist.lst
LOCALDOMAINS_IN=/etc/amavis/LOCALDOMAINS.lst
LOCALDOMAINS_OUT=/etc/amavis/localdomains.lst

REDES_IN=/etc/amavis/REDES.lst
REDES_OUT=/etc/amavis/redes.lst

IP_GNUPANEL=192.168.200.1

DOMINIOS=`/usr/bin/ssh sdns@${IP_GNUPANEL} /usr/local/bin/get-gnupanel-domains.sh`

/bin/echo -n "" > ${LOCALDOMAINS_OUT}
/bin/echo -n "" > ${WHITELIST_OUT}

for dominio in ${DOMINIOS}
do
    #/bin/echo ${dominio} >> ${WHITELIST_OUT}
    /bin/echo ${dominio} >> ${LOCALDOMAINS_OUT}
done

/bin/cat ${WHITELIST_IN} >> ${WHITELIST_OUT}
/bin/cat ${LOCALDOMAINS_IN} >> ${LOCALDOMAINS_OUT}

REDES=`/sbin/ifconfig | /bin/grep inet | /bin/grep -v inet6 | /usr/bin/mawk '{print $2;}' | /usr/bin/mawk -F ":" '{print $2;}' | /usr/bin/sort -u`

/bin/echo -n "" > ${REDES_OUT}

/bin/cat ${REDES_IN} >> ${REDES_OUT}

for red_in in ${REDES}
do
    /bin/echo ${red_in} >> ${REDES_OUT}
done

/etc/init.d/amavis restart




Modify the line with the IP for your gnupanel server

IP_GNUPANEL=192.168.200.1

On gnupanel server edit /etc/cron.d/gnupanel-stats commenting the line that runs /usr/local/gnupanel/genera-amavis-lst.sh so that it is well

root@vps415960:/# cat /etc/cron.d/gnupanel-stats 
#
#  GNUPanel generador de estadisticas
#
# m h dom mon dow user  command
##0 3	* * *	root	/usr/local/gnupanel/calcula-deudas.pl 1>/dev/null 2>/dev/null
0 4	* * *	root	/usr/local/gnupanel/genera-estadisticas.pl 1>/dev/null 2>/dev/null
0 0	1 * *	root	/usr/local/gnupanel/reset-transfer.pl 1>/dev/null 2>/dev/null
0 */3	* * *	root	/usr/local/gnupanel/genera-postfix-secundario.pl 1>/dev/null 2>/dev/null
#0 */3	* * *	root	/usr/local/gnupanel/genera-amavis-lst.sh 1>/dev/null 2>/dev/null
0 5	* * *	root	/usr/local/gnupanel/genera-backup.pl 1>/dev/null 2>/dev/null
0 2	* * *	root	/usr/local/gnupanel/controla-planes.pl 1>/dev/null 2>/dev/null
30 0	1 * *	root	/usr/local/gnupanel/gnupanel-garbage-colector.pl 1>/dev/null 2>/dev/null
0 */1	* * *	root	/usr/local/gnupanel/hay-tickets-pend.pl 1>/dev/null 2>/dev/null
50 */3	* * *	root	/usr/local/gnupanel/mide-trafico-total-cron.pl 1>/dev/null 2>/dev/null
0 4	* * *	root	/usr/local/gnupanel/limpiar-spam.sh 1>/dev/null 2>/dev/null
0 */1	* * *	root	/usr/local/gnupanel/trafico_correo.sh 1>/dev/null
##0 */1   * * *   root    /usr/local/gnupanel/pdns_notify.sh 1>/dev/null

And then proceed to uninstall and purge these packages amavisd-new spamassassin clamav clamav-daemon, also should make autoremove

root@vps415960:/# apt-get remove amavisd-new spamassassin clamav clamav-daemon
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  altermime libarchive-zip-perl libberkeleydb-perl libconvert-binhex-perl libconvert-tnef-perl libconvert-uulib-perl libio-multiplex-perl libio-stringy-perl libmime-tools-perl libnet-cidr-perl libnet-server-perl libunix-syslog-perl
  ripole
Use 'apt-get autoremove' to remove them.
The following packages will be REMOVED:
  amavisd-new clamav clamav-daemon spamassassin
0 upgraded, 0 newly installed, 4 to remove and 0 not upgraded.
After this operation, 7.249 kB disk space will be freed.
Do you want to continue [Y/n]? 
(Reading database ... 49529 files and directories currently installed.)
Removing amavisd-new ...
Stopping amavisd: amavisd-new.
Removing clamav ...
Removing clamav-daemon ...
[ ok ] Stopping ClamAV daemon: clamd Waiting .  . .
Removing spamassassin ...
SpamAssassin Mail Filter Daemon: disabled, see /etc/default/spamassassin
Processing triggers for man-db ...
root@vps415960:/# 
root@vps415960:/# dpkg -P amavisd-new spamassassin clamav clamav-daemon
(Reading database ... 49110 files and directories currently installed.)
Removing amavisd-new ...
Purging configuration files for amavisd-new ...
Removing user `amavis' ...
userdel: group amavis not removed because it has other members.
Done.
Removing group `amavis' ...
Done.
Removing amavis files and directories...
Removing spamassassin ...
Purging configuration files for spamassassin ...
dpkg: warning: ignoring request to remove clamav which isn't installed
Removing clamav-daemon ...
Purging configuration files for clamav-daemon ...
root@vps415960:/# apt-get autoremove
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be REMOVED:
  altermime clamav-base clamav-freshclam libarchive-zip-perl libberkeleydb-perl libclamav6 libconvert-binhex-perl libconvert-tnef-perl libconvert-uulib-perl libcrypt-openssl-bignum-perl libcrypt-openssl-rsa-perl liberror-perl
  libio-multiplex-perl libio-stringy-perl libmail-dkim-perl libmail-spf-perl libmime-tools-perl libnet-cidr-perl libnet-server-perl libnetaddr-ip-perl libsys-hostname-long-perl libtommath0 libunix-syslog-perl ripole spamc
0 upgraded, 0 newly installed, 25 to remove and 0 not upgraded.
After this operation, 16,7 MB disk space will be freed.
Do you want to continue [Y/n]? 
(Reading database ... 49067 files and directories currently installed.)
Removing altermime ...
Removing clamav-freshclam ...
[ ok ] Stopping ClamAV virus database updater: freshclam.
Removing clamav-base ...
Removing libarchive-zip-perl ...
Removing libberkeleydb-perl ...
Removing libclamav6 ...
Removing libconvert-tnef-perl ...
Removing libmime-tools-perl ...
Removing libconvert-binhex-perl ...
Removing libconvert-uulib-perl ...
Removing libmail-dkim-perl ...
Removing libcrypt-openssl-rsa-perl ...
Removing libcrypt-openssl-bignum-perl ...
Removing libmail-spf-perl ...
Removing liberror-perl ...
Removing libnet-server-perl ...
Removing libio-multiplex-perl ...
Removing libio-stringy-perl ...
Removing libnet-cidr-perl ...
Removing libnetaddr-ip-perl ...
Removing libsys-hostname-long-perl ...
Removing libtommath0 ...
Removing libunix-syslog-perl ...
Removing ripole ...
Removing spamc ...
Processing triggers for man-db ...
root@vps415960:/# 

Then in the amavis server create the following /etc/cron.d/amvs with the following content

0 */3	* * *	root	/usr/local/gnupanel/get-gnupanel-domains.sh 1>/dev/null

If using openvpn for communication between postfix and amavis, in the amavis server creates the file /etc/insserv/overrides/amavis with the following content

#! /bin/sh
### BEGIN INIT INFO
# Provides:          amavisd-new
# Required-Start:    $syslog $network $local_fs $remote_fs
# Required-Stop:     $syslog $network $local_fs $remote_fs
# Should-Start:      openvpn
# Should-Stop:       openvpn
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Starts amavisd-new mailfilter
# Description:       Launches the amavisd-new mailfilter
### END INIT INFO

And then run the command insserv

root@vps442025:/# insserv 
root@vps442025:/# 

Finally reboot the amavis server and on gnupanel server restart postfix and cron

Ready, it only remains to prove that everything works properly

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.