Amavis trouble with Postfix

Is it possible that the system is eating up your swap? Do you have something like munin installed on it so that you can check?

 

So sorry for the delay I just managed to sit down and try the chmod now!

I had to use chmod -R 777 /var/run/clamav before anything would work.

However in mail.log I get this:

Code:

Aug 10 03:28:10 OptiplexGX270T amavis[1401]: (01401-02) Blocked TEMPFAIL, [205.188.139.136] [81.178.2.118] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: yYNk9TENqaUc, Hits: 0.552, 2424 ms
Aug 10 03:28:10 OptiplexGX270T amavis[1401]: (01401-02) TIMING [total 2427 ms] - SMTP EHLO: 2 (0%)0, SMTP pre-MAIL: 1 (0%)0, SMTP pre-DATA-flush: 2 (0%)0, SMTP DATA: 37 (2%)2, body_digest: 1 (0%)2, gen_mail_id: 0 (0%)2, mime_decode: 12 (0%)2, get-file-type2: 74 (3%)5, decompose_part: 0 (0%)5, decompose_part: 0 (0%)5, parts_decode: 0 (0%)5, AV-scan-1: 23 (1%)6, AV-scan-2: 0 (0%)6, spam-wb-list: 2 (0%)6, SA msg read: 1 (0%)6, SA parse: 2 (0%)6, SA check: 2232 (92%)98, SA finish: 3 (0%)99, update_cache: 2 (0%)99, decide_mail_destiny: 1 (0%)99, fwd-rundown: 23 (1%)100, prepare-dsn: 1 (0%)100, main_log_entry: 7 (0%)100, update_snmp: 1 (0%)100, unlink-2-files: 1 (0%)100, rundown: 0 (0%)100
Aug 10 03:28:10 OptiplexGX270T postfix/smtp[7875]: 380945AA8E: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=4848, delays=4846/0.01/0/2.4, dsn=4.4.1, status=deferred (host 127.0.0.1[127.0.0.1] said: 450 4.4.1 Can't connect to 127.0.0.1 port 10025,  () at (eval 42) line 145, <GEN22> line 145., MTA([127.0.0.1]:10025), id=01401-02 (in reply to end of DATA command))

Which happens with outbound mail too.

I am using Munin, however I don't believe that it should effect the mail right? I have 1GB of RAM with 1.5GB swap

 

What's the ouptut of

Code:

netstat -tap

? What's in /etc/postfix/master.cf?

 

Requested info

I'm still getting lockups. I'm to the point I'd just like to turn off amavis and clamav and have postfix deliver mail without checking it. Right now when those are manually stopped, postfix's queue just builds. How could I fix that? Here's the info you requested:

netstat -tap

Code:

tempe:/var/run/clamav# netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 *:nfs                   *:*                     LISTEN     -                   
tcp        0      0 *:swat                  *:*                     LISTEN     4271/inetd          
tcp        0      0 localhost.localdo:10024 *:*                     LISTEN     3916/amavisd (maste 
tcp        0      0 localhost.localdo:10025 *:*                     LISTEN     4338/master         
tcp        0      0 localhost.localdo:mysql *:*                     LISTEN     4159/mysqld         
tcp        0      0 *:netbios-ssn           *:*                     LISTEN     4350/smbd           
tcp        0      0 localhost.localdo:spamd *:*                     LISTEN     3920/spamd.pid      
tcp        0      0 *:sunrpc                *:*                     LISTEN     3417/portmap        
tcp        0      0 *:624                   *:*                     LISTEN     4261/rpc.mountd     
tcp        0      0 *:auth                  *:*                     LISTEN     4271/inetd          
tcp        0      0 *:58194                 *:*                     LISTEN     4471/rpc.statd      
tcp        0      0 *:35154                 *:*                     LISTEN     -                   
tcp        0      0 *:munin                 *:*                     LISTEN     4702/munin-node     
tcp        0      0 localhost.locald:domain *:*                     LISTEN     3869/named          
tcp        0      0 tempe.sharealike:domain *:*                     LISTEN     3869/named          
tcp        0      0 localhost.localdoma:823 *:*                     LISTEN     4463/famd           
tcp        0      0 *:smtp                  *:*                     LISTEN     4338/master         
tcp        0      0 localhost.localdoma:953 *:*                     LISTEN     3869/named          
tcp        0      0 *:2812                  *:*                     LISTEN     4774/monit          
tcp        0      0 *:microsoft-ds          *:*                     LISTEN     4350/smbd           
tcp        0      0 localhost.localdo:10024 localhost.localdo:54099 ESTABLISHED5901/amavisd (ch2-0 
tcp        0      0 localhost.localdo:10024 localhost.localdo:54098 ESTABLISHED5900/amavisd (ch2-0 
tcp        0      0 localhost.localdo:54098 localhost.localdo:10024 ESTABLISHED5016/smtp           
tcp        0      0 localhost.localdo:54099 localhost.localdo:10024 ESTABLISHED5918/smtp           
tcp6       0      0 *:imaps                 *:*                     LISTEN     4054/couriertcpd    
tcp6       0      0 *:pop3s                 *:*                     LISTEN     4078/couriertcpd    
tcp6       0      0 *:pop3                  *:*                     LISTEN     4059/couriertcpd    
tcp6       0      0 *:imap2                 *:*                     LISTEN     4042/couriertcpd    
tcp6       0      0 *:www                   *:*                     LISTEN     4627/apache2        
tcp6       0      0 *:ssh                   *:*                     LISTEN     4381/sshd           
tcp6       0      0 ip6-localhost:953       *:*                     LISTEN     3869/named          
tcp6       0      0 *:https                 *:*                     LISTEN     4627/apache2        
tcp6       0   1296 tempe.sharealike.or:ssh chino.sharealike.:42904 ESTABLISHED5922/0

master.cf

Code:

tempe:/var/run/clamav# cat /etc/postfix/master.cf 
#
# Postfix master process configuration file.  Each logical line 
# describes how a Postfix daemon program should be run. 
#
# A logical line starts with non-whitespace, non-comment text.
# Empty lines and whitespace-only lines are ignored, as are comment 
# lines whose first non-whitespace character is a `#'.  
# A line that starts with whitespace continues a logical line.
#
# The fields that make up each line are described below. A "-" field
# value requests that a default value be used for that field.
#
# Service: any name that is valid for the specified transport type
# (the next field).  With INET transports, a service is specified as
# host:port.  The host part (and colon) may be omitted. Either host
# or port may be given in symbolic form or in numeric form. Examples
# for the SMTP server:  localhost:smtp receives mail via the loopback
# interface only; 10025 receives mail on port 10025.
#
# Transport type: "inet" for Internet sockets, "unix" for UNIX-domain
# sockets, "fifo" for named pipes.
#
# Private: whether or not access is restricted to the mail system.
# Default is private service.  Internet (inet) sockets can't be private.
#
# Unprivileged: whether the service runs with root privileges or as
# the owner of the Postfix system (the owner name is controlled by the
# mail_owner configuration variable in the main.cf file). Only the
# pipe, virtual and local delivery daemons require privileges.
#
# Chroot: whether or not the service runs chrooted to the mail queue
# directory (pathname is controlled by the queue_directory configuration
# variable in the main.cf file). Presently, all Postfix daemons can run
# chrooted, except for the pipe, virtual and local delivery daemons.
# The proxymap server can run chrooted, but doing so defeats most of
# the purpose of having that service in the first place.
# The files in the examples/chroot-setup subdirectory describe how
# to set up a Postfix chroot environment for your type of machine.
#
# Wakeup time: automatically wake up the named service after the
# specified number of seconds. A ? at the end of the wakeup time
# field requests that wake up events be sent only to services that
# are actually being used.  Specify 0 for no wakeup. Presently, only
# the pickup, queue manager and flush daemons need a wakeup timer.
#
# Max procs: the maximum number of processes that may execute this
# service simultaneously. Default is to use a globally configurable
# limit (the default_process_limit configuration parameter in main.cf).
# Specify 0 for no process count limit.
#
# Command + args: the command to be executed. The command name is
# relative to the Postfix program directory (pathname is controlled by
# the daemon_directory configuration variable). Adding one or more
# -v options turns on verbose logging for that service; adding a -D
# option enables symbolic debugging (see the debugger_command variable
# in the main.cf configuration file). See individual command man pages
# for specific command-line options, if any.
#
# General main.cf options can be overridden for specific services.
# To override one or more main.cf options, specify them as arguments
# below, preceding each option by "-o".  There must be no whitespace
# in the option itself (separate multiple values for an option by
# commas).
#
# In order to use the "uucp" message tranport below, set up entries
# in the transport table.
#
# In order to use the "cyrus" message transport below, configure it
# in main.cf as the mailbox_transport.
#
# SPECIFY ONLY PROGRAMS THAT ARE WRITTEN TO RUN AS POSTFIX DAEMONS.
# ALL DAEMONS SPECIFIED HERE MUST SPEAK A POSTFIX-INTERNAL PROTOCOL.
#
# DO NOT SHARE THE POSTFIX QUEUE BETWEEN MULTIPLE POSTFIX INSTANCES.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
#submission inet n      -       -       -       -       smtpd
#	-o smtpd_etrn_restrictions=reject
#628      inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       -       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
#
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# maildrop. See the Postfix MAILDROP_README file for details.
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -d -t$nexthop -f$sender $recipient
scalemail-backend unix	-	n	n	-	2	pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}

# only used by postfix-tls
#tlsmgr	  fifo	-	-	n	300	1	tlsmgr
#smtps	  inet	n	-	n	-	-	smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#587	  inet	n	-	n	-	-	smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes

# Added from howtoforge.com HOWTO
amavis unix - - - - 2 smtp
        -o smtp_data_done_timeout=1200
	-o smtp_send_xforward_command=yes

127.0.0.1:10025 inet n - - - - smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
	-o smtpd_restriction_classes=
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=127.0.0.0/8
        -o strict_rfc821_envelopes=yes
	-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
	-o smtpd_bind_address=127.0.0.1
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
scache    unix  -       -       -       -       1       scache
discard   unix  -       -       -       -       -       discard

 

Can you comment out the last three lines in master.cf:

Code:

tlsmgr    unix  -       -       -       1000?   1       tlsmgr
scache    unix  -       -       -       -       1       scache
discard   unix  -       -       -       -       -       discard

and restart Postfix?

 

Server still freezing up

Hi, I commented out those three lines and still, if I run amavis/clamav then after a short time the server totally freezes so that it's not even responsive at the keyboard and only a hard reset restores it. (For example, this time when it locked up I also had an SSH session connected running top and it disconnected me saying "Read from remote host 192.168.1.38: Connection timed out Connection to 192.168.1.38 closed.").

I also still get the following errors (though the tls ones are new):

Code:

Aug 19 08:31:15 localhost amavis[5232]: (05232-01) (!!) TROUBLE in check_mail: virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS FAILED: ClamAV-clamd av-scanner FAILED: Too many retries to talk to /var/run/clamav/clamd.ctl (Can't connect to UNIX socket /var/run/clamav/clamd.ctl: No such file or directory) at (eval 44) line 268.; ClamAV-clamscan av-scanner FAILED: /usr/bin/clamscan timed out at (eval 44) line 462.
Aug 19 08:31:15 localhost amavis[5232]: (05232-01) (!) PRESERVING EVIDENCE in /var/lib/amavis/tmp/amavis-20080819T082553-05232
Aug 19 08:33:23 localhost postfix/smtpd[6432]: warning: connect to private/tlsmgr: Connection refused
Aug 19 08:33:23 localhost postfix/smtpd[6432]: warning: problem talking to server private/tlsmgr: Connection refused
Aug 19 08:33:24 localhost postfix/smtpd[6432]: warning: connect to private/tlsmgr: Connection refused
Aug 19 08:33:24 localhost postfix/smtpd[6432]: warning: problem talking to server private/tlsmgr: Connection refused
Aug 19 08:33:24 localhost postfix/smtpd[6432]: warning: no entropy for TLS key generation: disabling TLS support

I think there are two ways to describe the symptoms: 1) Even with chmod 777 it cannot write to /var/run/clamav which is puzzling; 2) In general terms it seems like clamd and clamscan periodically consume >100% system resources trying to scan queued email for viruses/spam and something in that process isn't working right and it eventually totally locks up.

Any other ideas?

 

Regarding the TLS errors, you should uncomment the three lines again.

But I have no idea regarding the socket error...

 

With my problem netstat -tap shows

Code:

# netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State PID/Program name
tcp        0      0 *:55008                 *:*                     LISTEN     3378/rpc.statd
tcp        0      0 localhost:60000         *:*                     LISTEN     2773/postgrey.pid -
tcp        0      0 localhost:2208          *:*                     LISTEN     2569/hpiod
tcp        0      0 *:nfs                   *:*                     LISTEN     -
tcp        0      0 *:afpovertcp            *:*                     LISTEN     3151/afpd
tcp        0      0 *:swat                  *:*                     LISTEN     3206/inetd
tcp        0      0 localhost:10024         *:*                     LISTEN     15704/amavisd (mast
tcp        0      0 localhost:10025         *:*                     LISTEN     31109/master
tcp        0      0 *:56681                 *:*                     LISTEN     -
tcp        0      0 localhost:mysql         *:*                     LISTEN     2657/mysqld
tcp        0      0 *:netbios-ssn           *:*                     LISTEN     3279/smbd
tcp        0      0 localhost:spamd         *:*                     LISTEN     2777/spamd.pid
tcp        0      0 *:sunrpc                *:*                     LISTEN     2220/portmap
tcp        0      0 localhost:32912         *:*                     LISTEN     2572/python
tcp        0      0 *:auth                  *:*                     LISTEN     3206/inetd
tcp        0      0 *:munin                 *:*                     LISTEN     3534/munin-node
tcp        0      0 OptiplexGX270T.o:domain *:*                     LISTEN     2511/named
tcp        0      0 localhost:domain        *:*                     LISTEN     2511/named
tcp        0      0 localhost:ipp           *:*                     LISTEN     3028/cupsd
tcp        0      0 *:smtp                  *:*                     LISTEN     31109/master
tcp        0      0 localhost:953           *:*                     LISTEN     2511/named
tcp        0      0 localhost:4700          *:*                     LISTEN     3153/cnid_metad
tcp        0      0 *:microsoft-ds          *:*                     LISTEN     3279/smbd
tcp        0      0 *:831                   *:*                     LISTEN     3196/rpc.mountd
tcp        0      0 OptiplexGX270T.opti:nfs mail.gx110.optiplex:792 ESTABLISHED-
tcp     3216      0 OptiplexGX270T.op:38890 clamav.oucs.ox.ac.u:www CLOSE_WAIT 25978/freshclam
tcp        0      0 OptiplexGX270T.op:58934 clamav.mirror.anlx.:www ESTABLISHED25978/freshclam
tcp        0      0 OptiplexGX270T.op:59579 ftp.heanet.ie:www       ESTABLISHED25978/freshclam
tcp6       0      0 *:imaps                 *:*                     LISTEN     2988/couriertcpd
tcp6       0      0 *:pop3s                 *:*                     LISTEN     3007/couriertcpd
tcp6       0      0 *:pop3                  *:*                     LISTEN     2993/couriertcpd
tcp6       0      0 *:imap2                 *:*                     LISTEN     2976/couriertcpd
tcp6       0      0 *:www                   *:*                     LISTEN     31306/apache2
tcp6       0      0 *:domain                *:*                     LISTEN     2511/named
tcp6       0      0 *:ssh                   *:*                     LISTEN     12987/sshd
tcp6       0      0 ip6-localhost:953       *:*                     LISTEN     2511/named
tcp6       0    720 OptiplexGX270T.opti:ssh vaio:53039              ESTABLISHED11226/sshd: kayasam
tcp6       0      0 OptiplexGX270T.op:imap2 vaio:36715              ESTABLISHED16514/imapd

and in master.cf is:

Code:

# cat /etc/postfix/master.cf
#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
#submission inet n       -       -       -       -       smtpd
#  -o smtpd_enforce_tls=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps     inet  n       -       -       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#628      inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       -       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       -       -       -       smtp
        -o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipientscalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

amavis unix - - - - 2 smtp
 -o smtp_data_done_timeout=1200
 -o smtp_send_xforward_command=yes
 -o disable_dns_lookups=yes
 -o max_use=20

127.0.0.1:10025 inet n - - - - smtpd
 -o content_filter=
 -o local_recipient_maps=
 -o relay_recipient_maps=
 -o smtpd_restriction_classes=
 -o smtpd_delay_reject=no
 -o smtpd_client_restrictions=permit_mynetworks,reject
 -o smtpd_helo_restrictions=
 -o smtpd_sender_restrictions=
 -o smtpd_recipient_restrictions=permit_mynetworks,reject
 -o smtpd_data_restrictions=reject_unauth_pipelining
 -o smtpd_end_of_data_restrictions=
 -o mynetworks=192.168.1.0/24
 -o smtpd_error_sleep_time=0
 -o smtpd_soft_error_limit=1001
 -o smtpd_hard_error_limit=1000
 -o smtpd_client_connection_count_limit=0
 -o smtpd_client_connection_rate_limit=0
 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
 -o strict_rfc821_envelopes=yes
 -o smtpd_bind_address=127.0.0.1

so am not sure why it can't connect to port 10025???