Thank GNUtransfer the loan us a VPS and other resources to write this article.
On some servers where it is installed GNUPanel mail traffic is very high and that makes amavis consume many resources, which results in a decline in the quality of service apache, pdns, proftpd, etc.
In this article we will see how to do to run amavis, clamav and spamassassin on a separate server.
Before we start we should clarify that while not mandatory, the most convenient is that the IPs that communicate by postfix (on the main server) and amavis (antispam server) is to be private, either through a separate network or as we have done for example through a VPN, for which we use openvpn with the following howto.
In our example we have two servers, one where this gnupanel installed we’ll call gnupanel and one which will move amavis which we call amavis.
Server gnupanel
IP: 69.61.93.19
IP Private: 192.168.200.1
Main Domain: tester-gnupanel.com.ar
Server amavis
IP: 69.61.93.13
IP Private: 192.168.200.4
First in the amavis server install the following packages, amavisd-new spamassassin clamav clamav-daemon unrar-free ca-certificates arj zip unzip unar zoo nomarch lzop cabextract libauthen-sasl-perl dspam p7zip unrar-free lhasa pax pax-utils pyzor razor unrar-free
root@vps442025:/# apt-get install amavisd-new spamassassin clamav clamav-daemon unrar-free ca-certificates arj zip unzip unar zoo nomarch lzop cabextract libauthen-sasl-perl dspam p7zip unrar-free lhasa pax pax-utils pyzor razor unrar-free Reading package lists... Done Building dependency tree Reading state information... Done ca-certificates is already the newest version. ca-certificates set to manually installed. unzip is already the newest version. unzip set to manually installed. The following extra packages will be installed: altermime clamav-base clamav-freshclam dbus dspam-doc gcc gcc-4.7 gnustep-base-common gnustep-base-runtime gnustep-common libarchive-zip-perl libavahi-client3 libavahi-common-data libavahi-common3 libberkeleydb-perl libc-dev-bin libc6-dev libclamav6 libconvert-binhex-perl libconvert-tnef-perl libconvert-uulib-perl libcrypt-openssl-bignum-perl libcrypt-openssl-rsa-perl libdbus-1-3 libdigest-hmac-perl libdspam7 libdspam7-drv-hash libencode-locale-perl liberror-perl libfile-listing-perl libfont-afm-perl libgnustep-base1.22 libgomp1 libhtml-form-perl libhtml-format-perl libhtml-parser-perl libhtml-tagset-perl libhtml-tree-perl libhttp-cookies-perl libhttp-daemon-perl libhttp-date-perl libhttp-message-perl libhttp-negotiate-perl libicu48 libio-multiplex-perl libio-socket-inet6-perl libio-socket-ssl-perl libio-stringy-perl libitm1 liblhasa0 libltdl7 liblwp-mediatypes-perl liblwp-protocol-https-perl libmail-dkim-perl libmail-spf-perl libmailtools-perl libmime-tools-perl libnet-cidr-perl libnet-dns-perl libnet-http-perl libnet-ip-perl libnet-server-perl libnet-ssleay-perl libnetaddr-ip-perl libobjc4 libpq5 libquadmath0 libsocket6-perl libsys-hostname-long-perl libsystemd-login0 libtimedate-perl libtommath0 libunix-syslog-perl liburi-perl libwavpack1 libwww-perl libwww-robotrules-perl libxslt1.1 linux-libc-dev manpages-dev python-gdbm re2c ripole spamc Suggested packages: lha unrar libnet-ldap-perl libdbi-perl rpm libsnmp-perl clamav-docs daemon dbus-x11 dspam-webfrontend gcc-multilib autoconf automake1.9 libtool flex bison gdb gcc-doc gcc-4.7-multilib libmudflap0-4.7-dev gcc-4.7-doc gcc-4.7-locales libgcc1-dbg libgomp1-dbg libitm1-dbg libquadmath0-dbg libmudflap0-dbg libcloog-ppl0 libppl-c2 libppl7 binutils-gold gnustep-base-doc libgssapi-perl glibc-doc libclamunrar6 libdspam7-drv libdata-dump-perl libcrypt-ssleay-perl liblog-log4perl-perl libauthen-ntlm-perl p7zip-full paxctl python-gdbm-dbg libnet-ident-perl pike7.8 pike7.6 pike Recommended packages: libnet-patricial-perl The following NEW packages will be installed: altermime amavisd-new arj cabextract clamav clamav-base clamav-daemon clamav-freshclam dbus dspam dspam-doc gcc gcc-4.7 gnustep-base-common gnustep-base-runtime gnustep-common lhasa libarchive-zip-perl libauthen-sasl-perl libavahi-client3 libavahi-common-data libavahi-common3 libberkeleydb-perl libc-dev-bin libc6-dev libclamav6 libconvert-binhex-perl libconvert-tnef-perl libconvert-uulib-perl libcrypt-openssl-bignum-perl libcrypt-openssl-rsa-perl libdbus-1-3 libdigest-hmac-perl libdspam7 libdspam7-drv-hash libencode-locale-perl liberror-perl libfile-listing-perl libfont-afm-perl libgnustep-base1.22 libgomp1 libhtml-form-perl libhtml-format-perl libhtml-parser-perl libhtml-tagset-perl libhtml-tree-perl libhttp-cookies-perl libhttp-daemon-perl libhttp-date-perl libhttp-message-perl libhttp-negotiate-perl libicu48 libio-multiplex-perl libio-socket-inet6-perl libio-socket-ssl-perl libio-stringy-perl libitm1 liblhasa0 libltdl7 liblwp-mediatypes-perl liblwp-protocol-https-perl libmail-dkim-perl libmail-spf-perl libmailtools-perl libmime-tools-perl libnet-cidr-perl libnet-dns-perl libnet-http-perl libnet-ip-perl libnet-server-perl libnet-ssleay-perl libnetaddr-ip-perl libobjc4 libpq5 libquadmath0 libsocket6-perl libsys-hostname-long-perl libsystemd-login0 libtimedate-perl libtommath0 libunix-syslog-perl liburi-perl libwavpack1 libwww-perl libwww-robotrules-perl libxslt1.1 linux-libc-dev lzop manpages-dev nomarch p7zip pax pax-utils python-gdbm pyzor razor re2c ripole spamassassin spamc unar unrar-free zip zoo 0 upgraded, 104 newly installed, 0 to remove and 0 not upgraded. Need to get 38,2 MB of archives. After this operation, 109 MB of additional disk space will be used. Do you want to continue [Y/n]?
On the server amavis add user amavis to group clamav and clamav user to the amavis group
root@vps442025:/# adduser amavis clamav Adding user `amavis' to group `clamav' ... Adding user amavis to group clamav Done. root@vps442025:/# adduser clamav amavis Adding user `clamav' to group `amavis' ... Adding user clamav to group amavis Done. root@vps442025:/#
Then copy the following files from the gnupanel server to the amavis server.
/etc/amavis/WHITELIST.lst /etc/amavis/REDES.lst /etc/amavis/redes.lst /etc/amavis/LOCALDOMAINS.lst /etc/amavis/whitelist.lst /etc/amavis/blacklist.lst /etc/amavis/localdomains.lst /etc/amavis/spamlovers.lst /etc/amavis/conf.d/50-user /etc/spamassassin/local.cf /etc/clamav/freshclam.conf /etc/clamav/clamd.conf
Then edit the file /etc/amavis/conf.d/50-user adding and/or modifying the following variables
$inet_socket_bind = '192.168.200.4'; $forward_method = 'smtp:[192.168.200.1]:10025'; $notify_method = $forward_method; $myhostname = "tester-gnupanel.com.ar"; $max_servers = 9;
Also edit the file /etc/amavis/REDES.lst in the add all gnupanel server IPs in our example would
root@vps442025:/# cat /etc/amavis/REDES.lst 192.168.200.1 69.61.93.19 root@vps442025:/#
Then edit the file /etc/mailname and add the main domain of gnupanel
root@vps442025:/# cat /etc/mailname tester-gnupanel.com.ar root@vps442025:/#
On the gnupanel server edit the file /etc/postfix/main.cf and replace the variable content_filter so that it is well
content_filter = smtp-amavis:[192.168.252.4]:10024
and then edit /etc/postfix/master.cf and change the line that starts with «127.0.0.1:10025» so that it is well
192.168.200.1:10025 inet n - n - - smtpd
And change the line below
-o mynetworks=127.0.0.0/8
for this
-o mynetworks=192.168.200.0/24
then on gnupanel server create a script in /usr/local/bin called get-gnupanel-domains.sh with the following content
#!/bin/bash ECHO=/bin/echo CAT=/bin/cat GREP=/bin/grep MAWK=/usr/bin/mawk PSQL=/usr/bin/psql MKTEMP=/bin/mktemp RM=/bin/rm INSTALL_DATA=/etc/gnupanel/GNUPANEL_INSTALL_DATA PG_USER=postfix PG_PASS=`${CAT} ${INSTALL_DATA} | ${GREP} POSTFIX_PG | ${MAWK} -F ":" '{print $2;}'` PGPASSFILE=`${MKTEMP}` ${ECHO} "localhost:5432:gnupanel:postfix:${PG_PASS}" > ${PGPASSFILE} SQL="SELECT DISTINCT dominio FROM gnupanel_postfix_mailuser ORDER BY dominio;" export PGPASSFILE ${PSQL} -U ${PG_USER} -h localhost -w -d gnupanel -t -q -c "${SQL}" | ${MAWK} '{print $1;}' | ${GREP} [-a-zA-Z0-9_.] ${RM} -f ${PGPASSFILE}
hey give execute permissions for the user sdns
root@vps415960:/# chown root:sdns /usr/local/bin/get-gnupanel-domains.sh root@vps415960:/# chmod 0554 /usr/local/bin/get-gnupanel-domains.sh root@vps415960:/#
Create the directory /home/sdns/.ssh and the file /home/sdns/.ssh/authorized_keys we ensure that the owner is the user sdns
mkdir -p /home/sdns/.ssh >> /home/sdns/.ssh/authorized_keys chown -R sdns:sdns /home/sdns
Then on the server amavis create a set of keys ssh as root run the following command
NOTE: Do not assign any passphrase press enter when prompted us
root@vps442025:/# ssh-keygen -b 4096 Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: fe:fc:8c:88:0a:ec:6c:21:e7:2a:8e:c3:3c:52:6d:af root@vps442025 The key's randomart image is: +--[ RSA 4096]----+ | | | | | | | | | . S | |..+ o . | |o=oo . . | |=*o. .. + o | |*=+ Eo. . +.o | +-----------------+ root@vps442025:/#
Then copy the contents of the /root/.ssh/id_rsa.pub from the amavis server in /home/sdns/.ssh/authorized_keys on the gnupanel server
They prove that they can connect to the gnupanel server, in the amavis server running as root ssh sdns@192.168.200.1 (change the IP for your server gnupanel)
NOTE: We ask you to confirm the fingerprint
root@vps442025:/# ssh sdns@192.168.200.1 The authenticity of host '192.168.200.1 (192.168.200.1)' can't be established. ECDSA key fingerprint is 3d:7d:5b:83:94:96:0e:d9:cb:8e:c8:af:02:db:bc:81. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.200.1' (ECDSA) to the list of known hosts. Linux vps415960 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2 x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. $ $ $ exit logout Connection to 192.168.200.1 closed. root@vps442025:/#
And then on the amavis server create the file /usr/local/bin/genera-amavis-lst.sh with the following content
root@vps442025:/# cat /usr/local/bin/genera-amavis-lst.sh #!/bin/bash cd / WHITELIST_IN=/etc/amavis/WHITELIST.lst WHITELIST_OUT=/etc/amavis/whitelist.lst LOCALDOMAINS_IN=/etc/amavis/LOCALDOMAINS.lst LOCALDOMAINS_OUT=/etc/amavis/localdomains.lst REDES_IN=/etc/amavis/REDES.lst REDES_OUT=/etc/amavis/redes.lst IP_GNUPANEL=192.168.200.1 DOMINIOS=`/usr/bin/ssh sdns@${IP_GNUPANEL} /usr/local/bin/get-gnupanel-domains.sh` /bin/echo -n "" > ${LOCALDOMAINS_OUT} /bin/echo -n "" > ${WHITELIST_OUT} for dominio in ${DOMINIOS} do #/bin/echo ${dominio} >> ${WHITELIST_OUT} /bin/echo ${dominio} >> ${LOCALDOMAINS_OUT} done /bin/cat ${WHITELIST_IN} >> ${WHITELIST_OUT} /bin/cat ${LOCALDOMAINS_IN} >> ${LOCALDOMAINS_OUT} REDES=`/sbin/ifconfig | /bin/grep inet | /bin/grep -v inet6 | /usr/bin/mawk '{print $2;}' | /usr/bin/mawk -F ":" '{print $2;}' | /usr/bin/sort -u` /bin/echo -n "" > ${REDES_OUT} /bin/cat ${REDES_IN} >> ${REDES_OUT} for red_in in ${REDES} do /bin/echo ${red_in} >> ${REDES_OUT} done /etc/init.d/amavis restart
Modify the line with the IP for your gnupanel server
IP_GNUPANEL=192.168.200.1
On gnupanel server edit /etc/cron.d/gnupanel-stats commenting the line that runs /usr/local/gnupanel/genera-amavis-lst.sh so that it is well
root@vps415960:/# cat /etc/cron.d/gnupanel-stats # # GNUPanel generador de estadisticas # # m h dom mon dow user command ##0 3 * * * root /usr/local/gnupanel/calcula-deudas.pl 1>/dev/null 2>/dev/null 0 4 * * * root /usr/local/gnupanel/genera-estadisticas.pl 1>/dev/null 2>/dev/null 0 0 1 * * root /usr/local/gnupanel/reset-transfer.pl 1>/dev/null 2>/dev/null 0 */3 * * * root /usr/local/gnupanel/genera-postfix-secundario.pl 1>/dev/null 2>/dev/null #0 */3 * * * root /usr/local/gnupanel/genera-amavis-lst.sh 1>/dev/null 2>/dev/null 0 5 * * * root /usr/local/gnupanel/genera-backup.pl 1>/dev/null 2>/dev/null 0 2 * * * root /usr/local/gnupanel/controla-planes.pl 1>/dev/null 2>/dev/null 30 0 1 * * root /usr/local/gnupanel/gnupanel-garbage-colector.pl 1>/dev/null 2>/dev/null 0 */1 * * * root /usr/local/gnupanel/hay-tickets-pend.pl 1>/dev/null 2>/dev/null 50 */3 * * * root /usr/local/gnupanel/mide-trafico-total-cron.pl 1>/dev/null 2>/dev/null 0 4 * * * root /usr/local/gnupanel/limpiar-spam.sh 1>/dev/null 2>/dev/null 0 */1 * * * root /usr/local/gnupanel/trafico_correo.sh 1>/dev/null ##0 */1 * * * root /usr/local/gnupanel/pdns_notify.sh 1>/dev/null
And then proceed to uninstall and purge these packages amavisd-new spamassassin clamav clamav-daemon, also should make autoremove
root@vps415960:/# apt-get remove amavisd-new spamassassin clamav clamav-daemon Reading package lists... Done Building dependency tree Reading state information... Done The following packages were automatically installed and are no longer required: altermime libarchive-zip-perl libberkeleydb-perl libconvert-binhex-perl libconvert-tnef-perl libconvert-uulib-perl libio-multiplex-perl libio-stringy-perl libmime-tools-perl libnet-cidr-perl libnet-server-perl libunix-syslog-perl ripole Use 'apt-get autoremove' to remove them. The following packages will be REMOVED: amavisd-new clamav clamav-daemon spamassassin 0 upgraded, 0 newly installed, 4 to remove and 0 not upgraded. After this operation, 7.249 kB disk space will be freed. Do you want to continue [Y/n]? (Reading database ... 49529 files and directories currently installed.) Removing amavisd-new ... Stopping amavisd: amavisd-new. Removing clamav ... Removing clamav-daemon ... [ ok ] Stopping ClamAV daemon: clamd Waiting . . . Removing spamassassin ... SpamAssassin Mail Filter Daemon: disabled, see /etc/default/spamassassin Processing triggers for man-db ... root@vps415960:/# root@vps415960:/# dpkg -P amavisd-new spamassassin clamav clamav-daemon (Reading database ... 49110 files and directories currently installed.) Removing amavisd-new ... Purging configuration files for amavisd-new ... Removing user `amavis' ... userdel: group amavis not removed because it has other members. Done. Removing group `amavis' ... Done. Removing amavis files and directories... Removing spamassassin ... Purging configuration files for spamassassin ... dpkg: warning: ignoring request to remove clamav which isn't installed Removing clamav-daemon ... Purging configuration files for clamav-daemon ... root@vps415960:/# apt-get autoremove Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be REMOVED: altermime clamav-base clamav-freshclam libarchive-zip-perl libberkeleydb-perl libclamav6 libconvert-binhex-perl libconvert-tnef-perl libconvert-uulib-perl libcrypt-openssl-bignum-perl libcrypt-openssl-rsa-perl liberror-perl libio-multiplex-perl libio-stringy-perl libmail-dkim-perl libmail-spf-perl libmime-tools-perl libnet-cidr-perl libnet-server-perl libnetaddr-ip-perl libsys-hostname-long-perl libtommath0 libunix-syslog-perl ripole spamc 0 upgraded, 0 newly installed, 25 to remove and 0 not upgraded. After this operation, 16,7 MB disk space will be freed. Do you want to continue [Y/n]? (Reading database ... 49067 files and directories currently installed.) Removing altermime ... Removing clamav-freshclam ... [ ok ] Stopping ClamAV virus database updater: freshclam. Removing clamav-base ... Removing libarchive-zip-perl ... Removing libberkeleydb-perl ... Removing libclamav6 ... Removing libconvert-tnef-perl ... Removing libmime-tools-perl ... Removing libconvert-binhex-perl ... Removing libconvert-uulib-perl ... Removing libmail-dkim-perl ... Removing libcrypt-openssl-rsa-perl ... Removing libcrypt-openssl-bignum-perl ... Removing libmail-spf-perl ... Removing liberror-perl ... Removing libnet-server-perl ... Removing libio-multiplex-perl ... Removing libio-stringy-perl ... Removing libnet-cidr-perl ... Removing libnetaddr-ip-perl ... Removing libsys-hostname-long-perl ... Removing libtommath0 ... Removing libunix-syslog-perl ... Removing ripole ... Removing spamc ... Processing triggers for man-db ... root@vps415960:/#
Then in the amavis server create the following /etc/cron.d/amvs with the following content
0 */3 * * * root /usr/local/gnupanel/get-gnupanel-domains.sh 1>/dev/null
If using openvpn for communication between postfix and amavis, in the amavis server creates the file /etc/insserv/overrides/amavis with the following content
#! /bin/sh ### BEGIN INIT INFO # Provides: amavisd-new # Required-Start: $syslog $network $local_fs $remote_fs # Required-Stop: $syslog $network $local_fs $remote_fs # Should-Start: openvpn # Should-Stop: openvpn # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Starts amavisd-new mailfilter # Description: Launches the amavisd-new mailfilter ### END INIT INFO
And then run the command insserv
root@vps442025:/# insserv root@vps442025:/#
Finally reboot the amavis server and on gnupanel server restart postfix and cron
Ready, it only remains to prove that everything works properly

About Ricardo Marcelo Alvarez
- Web |
- More Posts(58)