1 (edited by wildcard418 2019-08-15 22:06:51)

Topic: clamd will not disable [SOLVED]

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.9
- Deployed with iRedMail Easy or the downloadable installer? downloadable installer
- Linux/BSD distribution name and version: CentOS 7.6.1810
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL (MariaDB)
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hello Zhang,
I'm using a 3rd party spam/virus checker that handles the filtering before any mail reaches my mail server.

I'm attempting to stop virus/spam scanning but keep DKIM signing / verification. I've followed the guide here but everytime I restart amavisd I find it continues to spawn clamd processes which promptly eat up 500-600mb of ram.

I've uncommented the settings @bypass_virus_checks_maps => [1], and @bypass_spam_checks_maps => [1], on line 4 and 5 of the amavisd.conf as per the guide. I also found the same settings commented out on line 76 and 77 but without the leading @ symbol. I have not touched those.

Can you clarify if I'm missing a step somewhere? Should the 1 be a 0 to disable the checks?

I've attached a slightly redacted version of my amavisd.conf file for you.

Post's attachments

amavisd.conf 29.95 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

2

Re: clamd will not disable [SOLVED]

Hi,

https://forum.iredmail.org/topic13586-r … lamav.html

Check SQL table "amavisd.policy", you should have one record for global spam policy with column "policy_name='@.'". Try to update column "bypass_spam_checks", "bypass_virus_checks" to 'Y'.

Note: with "lookup_sql_dsn" setting enabled in amavisd config file, settings stored in SQL db will be used instead of config file.

wink

3

Re: clamd will not disable [SOLVED]

Hey Neutro,
Thanks for the reply. I checked the amavisd database inside of the table policy and found the bypass_virus_checks was set to N, so I updated it to Y.  I also verified bypass_spam_checks, and it was already Y. Both items are now Y in the database.

I restarted processes and found no change. I rebooted the entire server and found no change.

Same behavior, with clamd launching and consuming 600mb of ram.

I enabled log level 5 for amavisd. I killed the clamd process and restarted amavisd as I watched the log. I found this:

Aug 14 18:35:45 mail clamd[2718]: Pid file removed.
Aug 14 18:35:45 mail clamd[2718]: --- Stopped at Wed Aug 14 18:35:45 2019
Aug 14 18:35:45 mail clamd[2718]: Socket file removed.
Aug 14 18:35:57 mail amavis[2798]: child_goes_idle (child finishing)
Aug 14 18:35:57 mail amavis[2798]: child_goes_idle: disconnected none (child finishing)
Aug 14 18:35:57 mail amavis[2798]: child_finish_hook: invoking DESTROY methods
Aug 14 18:35:57 mail amavis[2798]: Amavis::Out::SQL::Log DESTROY called
Aug 14 18:35:57 mail amavis[2798]: Amavis::Lookup::SQL DESTROY called
Aug 14 18:35:57 mail amavis[2798]: Amavis::Lookup::SQL DESTROY called
Aug 14 18:35:57 mail amavis[2798]: Amavis::Out::SQL::Connection DESTROY called
Aug 14 18:35:57 mail amavis[2797]: sd_notify (no socket): STOPPING=1\nSTATUS=Server rundown, notifying child processes.
Aug 14 18:35:57 mail amavis[2797]: Net::Server: 2019/08/14-18:35:57 Server closing!
Aug 14 18:35:57 mail amavis[2797]: Net::Server: Kill TERM pid 2799
Aug 14 18:35:57 mail amavis[2797]: Net::Server: Kill TERM pid 2798
Aug 14 18:35:57 mail amavis[2797]: sd_notify (no socket): STATUS=Child processes have been stopped.
Aug 14 18:35:57 mail amavis[2799]: child_goes_idle (child finishing)
Aug 14 18:35:57 mail amavis[2799]: child_goes_idle: disconnected none (child finishing)
Aug 14 18:35:57 mail amavis[2799]: child_finish_hook: invoking DESTROY methods
Aug 14 18:35:57 mail amavis[2799]: Amavis::Out::SQL::Log DESTROY called
Aug 14 18:35:57 mail amavis[2799]: Amavis::Lookup::SQL DESTROY called
Aug 14 18:35:57 mail amavis[2799]: Amavis::Lookup::SQL DESTROY called
Aug 14 18:35:57 mail amavis[2799]: Amavis::Out::SQL::Connection DESTROY called
Aug 14 18:35:57 mail clamd[2816]: Received 0 file descriptor(s) from systemd.
Aug 14 18:35:57 mail clamd[2816]: clamd daemon 0.101.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Aug 14 18:35:57 mail clamd[2816]: Running as user amavis (UID 990, GID 987)
Aug 14 18:35:57 mail clamd[2816]: Log file size limited to 1048576 bytes.
Aug 14 18:35:57 mail clamd[2816]: Reading databases from /var/lib/clamav
Aug 14 18:35:57 mail clamd[2816]: Not loading PUA signatures.
Aug 14 18:35:57 mail clamd[2816]: Bytecode: Security mode set to "TrustSigned".
Aug 14 18:35:57 mail amavis[2820]: logging initialized, log level 5, syslog: amavis.mail
Aug 14 18:35:57 mail amavis[2820]: sd_notify (no socket): STATUS=Config files have been read, modules loaded.
Aug 14 18:35:57 mail amavis[2820]: starting. /usr/sbin/amavisd at mail.example.com amavisd-new-2.11.1 (20181009), Unicode aware, LANG="en_US.UTF-8"

... skipping all the "Found decoder nonsense"

Aug 14 18:35:57 mail amavis[2821]: sd_notify (no socket): READY=1\nSTATUS=Initialization done.
Aug 14 18:35:57 mail amavis[2821]: Net::Server: Beginning prefork (2 processes)
Aug 14 18:35:57 mail amavis[2821]: sd_notify (no socket): STATUS=Starting child process(es), ready for work.
Aug 14 18:35:57 mail amavis[2821]: Net::Server: Starting "2" children
Aug 14 18:35:57 mail amavis[2821]: Net::Server: Parent ready for children.
Aug 14 18:35:57 mail amavis[2822]: Net::Server: Child Preforked (2822)
Aug 14 18:35:57 mail amavis[2822]: entered child_init_hook
Aug 14 18:35:57 mail amavis[2822]: storage and lookups will use the same connection to SQL
Aug 14 18:35:57 mail amavis[2823]: Net::Server: Child Preforked (2823)
Aug 14 18:35:57 mail amavis[2823]: entered child_init_hook
Aug 14 18:35:57 mail amavis[2823]: storage and lookups will use the same connection to SQL
Aug 14 18:36:26 mail clamd[2816]: Loaded 6271420 signatures.
Aug 14 18:36:27 mail clamd[2816]: LOCAL: Unix socket file /var/run/clamd.amavisd/clamd.socket
Aug 14 18:36:27 mail clamd[2816]: LOCAL: Setting connection queue length to 200
Aug 14 18:36:27 mail clamd[2840]: Limits: Global size limit set to 104857600 bytes.
Aug 14 18:36:27 mail clamd[2840]: Limits: File size limit set to 26214400 bytes.
Aug 14 18:36:27 mail clamd[2840]: Limits: Recursion level limit set to 16.
Aug 14 18:36:27 mail clamd[2840]: Limits: Files limit set to 10000.
Aug 14 18:36:27 mail clamd[2840]: Limits: MaxEmbeddedPE limit set to 10485760 bytes.
Aug 14 18:36:27 mail clamd[2840]: Limits: MaxHTMLNormalize limit set to 10485760 bytes.
Aug 14 18:36:27 mail clamd[2840]: Limits: MaxHTMLNoTags limit set to 2097152 bytes.
Aug 14 18:36:27 mail clamd[2840]: Limits: MaxScriptNormalize limit set to 5242880 bytes.
Aug 14 18:36:27 mail clamd[2840]: Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Aug 14 18:36:27 mail clamd[2840]: Limits: MaxPartitions limit set to 50.
Aug 14 18:36:27 mail clamd[2840]: Limits: MaxIconsPE limit set to 100.
Aug 14 18:36:27 mail clamd[2840]: Limits: MaxRecHWP3 limit set to 16.
Aug 14 18:36:27 mail clamd[2840]: Limits: PCREMatchLimit limit set to 100000.
Aug 14 18:36:27 mail clamd[2840]: Limits: PCRERecMatchLimit limit set to 2000.
Aug 14 18:36:27 mail clamd[2840]: Limits: PCREMaxFileSize limit set to 26214400.
Aug 14 18:36:27 mail clamd[2840]: Archive support enabled.
Aug 14 18:36:27 mail clamd[2840]: AlertExceedsMax heuristic detection disabled.
Aug 14 18:36:27 mail clamd[2840]: Heuristic alerts enabled.
Aug 14 18:36:27 mail clamd[2840]: Portable Executable support enabled.
Aug 14 18:36:27 mail clamd[2840]: ELF support enabled.
Aug 14 18:36:27 mail clamd[2840]: Mail files support enabled.
Aug 14 18:36:27 mail clamd[2840]: OLE2 support enabled.
Aug 14 18:36:27 mail clamd[2840]: PDF support enabled.
Aug 14 18:36:27 mail clamd[2840]: SWF support enabled.
Aug 14 18:36:27 mail clamd[2840]: HTML support enabled.
Aug 14 18:36:27 mail clamd[2840]: XMLDOCS support enabled.
Aug 14 18:36:27 mail clamd[2840]: HWP3 support enabled.
Aug 14 18:36:27 mail clamd[2840]: Self checking every 600 seconds.

The log clearly shows clamd being invoked by amavis which was confirmed by ps:
$ ps aux | grep clamd
amavis    2840  0.0 38.6 930252 728096 ?       Ssl  18:36   0:00 /usr/sbin/clamd -c /etc/clamd.d/amavisd.conf


So far, I'm at a loss. I'm afraid if I uninstall the clamav package I may break things badly. Anyone have any ideas?

4

Re: clamd will not disable [SOLVED]

Did you actually stop clamav service? on CentOS 7, the service name is "clamd@amavisd".

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

5 (edited by wildcard418 2019-08-15 21:17:15)

Re: clamd will not disable [SOLVED]

ZhangHuangbin wrote:

Did you actually stop clamav service? on CentOS 7, the service name is "clamd@amavisd".

Yes, the service has been stopped and disabled. Same behavior as before.

Edit: I checked again to make sure the service was still stopped and disabled, but I found it running! WTF!? I can manually stop the service but a restart of amavisd causes the clamd@amavisd service to start again.

Any idea how I can kill it permanently?

6 (edited by wildcard418 2019-08-15 22:09:18)

Re: clamd will not disable [SOLVED]

I finally figured this out. I don't have other systems to test this other than CentOS but this works for me on CentOS 7.6.1810

The problem:
The systemd service script for amavisd is what is invoking clamd.

The fix:
Make sure clamd@amavisd is stopped and disabled.

systemctl stop clamd@amavisd.service
systemctl disable clamd@amavisd.service

Modify /usr/lib/systemd/system/amavisd.service and comment out the line Wants=clamd@amavisd.service and restart amavisd.

Don't forget to reload the daemon afterwards... systemctl daemon-reload

Zhang, you might consider adding a line to the guide for this. Thanks for all you do. Your product is amazing.

7

Re: clamd will not disable [SOLVED]

wildcard418 wrote:

The fix:
...
Modify /usr/lib/systemd/system/amavisd.service and comment out the line Wants=clamd@amavisd.service and restart amavisd.

Each time you upgrade Amavisd package, you need to do this change again. This is not ideal solution.

You should try this instead:
https://forum.iredmail.org/post70253.html#p70253

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

8

Re: clamd will not disable [SOLVED]

Hey Zhang,
I did follow your instructions exactly, but it wasn't enough to keep the clamd service from starting every time amavisd was restarted. I've applied the settings you linked to my amavisd.conf but it would spawn clamd and eat up 600+mb ram.

Finally found why it was spawning, so I added the steps above to the guide you posted.