Zimbra

wdman · #1 (**permalink**) 06-24-2010, 07:14 AM

- Message Count last 48 hours 300,000+ (mta_count(msg)). This is usually in the 7,500 range.
- Message Volume last 48 hours 4,500,000,000 (mta_volume (bytes)).
- Anti-Spam/Anti-Virus Activity last 48 hours 250,000+. Usually below 10,000 - more like ~2,000.

All swap gets consumed. Load averege 60.00+ - server becomes unresponsive.

It seems that when I start the postfix it starts feeding the email to amavisd and that's what uses all the resources.
(Upgraded to 6.0.7_GA_2473.UBUNTU6, but still can't start the system without getting it stuck again.)

Is there a way to limit the resources amavisd uses?
Where to look if it's single email address/domain that gets all this email?
Any tips to get this sorted?

Thank you.

phoenix · #2 (**permalink**) 06-24-2010, 07:58 AM

You'll find details in the /var/log/zimbra.log for incoming messages. I assume you're using the Discarding Emails Sent to Invalid Addresses optione mentioned in the wiki and some good RBLs? I'd suggest you block port 25 for the time being so you don't continue to receive email. You can also use the postsuper command to completely remove the mail from the queues but you may lose valid mail using that brute force technique, there's also a script on that page that you may be able to adapt to selectively remove mail.

wdman · #3 (**permalink**) 06-24-2010, 11:05 AM

Quote:

Originally Posted by phoenix

Discarding Emails Sent to Invalid Addresses

Does that work if there's some domains with catch-all account?

phoenix · #4 (**permalink**) 06-24-2010, 11:11 AM

Quote:

Originally Posted by wdman

Does that work if there's some domains with catch-all account?

No, it doesn't and a catch-all account is a spammers dream. Because you have a catch-all account you will get every message sent to the server, I never recommend catch-all accounts (except in limited circumstances) for this very reason - I would recommend you seriously consider getting rid of the catch-all.

wdman · #5 (**permalink**) 06-24-2010, 01:19 PM

Quote:

Originally Posted by phoenix

You'll find details in the /var/log/zimbra.log for incoming messages.

Starts today (24th Jun) and /var/log/zimbra.log.0 contains only (20th Jun).

Quote:

Originally Posted by phoenix

I'd suggest you block port 25 for the time being so you don't continue to receive email.

Did this and zmcontrol start - the server gets jammed again - hmmm.

wdman · #6 (**permalink**) 06-25-2010, 12:22 AM

Added few RBLs. And checked the following two from the web admin.
[x] Client must greet with a fully qualified hostname (reject_non_fqdn_hostname)
[x] Sender's domain (reject_unknown_sender_domain)

Changed the max_servers (amavisd.conf amavisd.conf.in)
#$max_servers = 10; # number of pre-forked children (2..15 is common)
$max_servers = 2; # number of pre-forked children (2..15 is common)

Changing the max_servers to 2 helped a little. amavisd still uses much resources.
top ...
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
18076 zimbra 25 0 2918m 2.8g 3544 R 98 71.3 1:46.15 amavisd
and
31827 zimbra 25 0 1085m 1.0g 2588 R 100 25.6 0:37.05 amavisd

The port 25 is blocked with iptables (ecxept for 127.0.0.1 and the servers IP).
Mail queues shows 2 deferred and 14 Active. Is there a amavis queue somewhere? Or other queues than the one that the Zimbra web admin shows?

phoenix · #7 (**permalink**) 06-25-2010, 12:35 AM

Quote:

Originally Posted by wdman

Mail queues shows 2 deferred and 14 Active. Is there a amavis queue somewhere? Or other queues than the one that the Zimbra web admin shows?

No, they're the only queues in the system. Are you going to remove the catch-all or does it serve some specific purpose in your environment?

wdman · #8 (**permalink**) 06-25-2010, 06:56 AM

Quote:

Originally Posted by phoenix

Are you going to remove the catch-all or does it serve some specific purpose in your environment?

I'm considering this - yes it does server a specific purpose. All of these email addresses are filtered to their folders and only leaked emails are blocked. Meaning I'm using unique addresses for each web service - like if this forum (zimbra.com/forums) would get compromised I would update the email on this board and then block the leaked email. So far it has worked great for years.

I guess I could point this domain with the catch-all to some other email server and then fetch the emails to Zimbra - not sure if the sieve filters would work tho (which are really important because of the email to specific folder filtering) - any idea?

Is there a way to find all addresses for a specific domain that has received email? (This way I guess I count stop using the catch-all and add all of these as aliases)

Would removing the catch-all help amavis now that the server doesn't get new email - all the email are in the system/queue?

Thank you for your help.