Avoid scanning local mail (& the daemon debate)
G. Armour Van Horn
vanhorn at whidbey.com
Sun Jul 28 19:52:04 IST 2002
Julian Field wrote:
> At 08:52 28/07/2002, you wrote:
> >pair of Perl scripts mails the copy to each address in turn using
> >"/usr/sbin/sendmail -t" - which I think would count as invoking sendmail
> >directly from the command line rather than via SMTP.
>
> How many recipients are you using per message? You should be able to do 100
> recips per message quite happily. MailScanner will then only have to scan
> the message once for 100 users. If you are invoking sendmail separately for
> each recipient, then it's no wonder your scanning load is so high!
There is one message per subscriber, a fundamental part of the design of the
project. I have dealt with mailing lists in the past where the messages could not
be identified, and I'll not do it a again. Particularly not in the current
anti-spam environment. It is essential that you can identify bounces, and when
someone claims you are spamming them that you can say when and how they subscribed.
It is simply good customer service that the message include some variant on "this
message was sent to subscriber at some.com" right in the text.
For various reasons I had to rebuild the server in February of this year. Same CPU
and RAM, new motherboard and drives, switched from RedHat 6.2 to 7.2. (Yes, that
meant an upgrade in Sendmail to 8.12.) I never could get AMaViS to work in the new
environment, which is when I found MailScanner.
> >Contrary to what the FAQ says I should expect, the delivered mail is being
> >scanned.
>
> You must be using sendmail 8.12, where the way sendmail queuing is done has
> changed.
With all the attacks on Sendmail you can hardly afford to not stay pretty much
up-to-date. I can't tell exactly when 8.12.0 shipped, it's close to a year now, and
I'm not at all sure what version of Sendmail was included in RedHat 7.2. Regardless
of what I started with on this system, 8.12.3 was important enough from the
security perspective so that I installed it in April.
> > This is a particular problem since MailScanner uses the command-line
> >version of Kaspersky instead of the daemonized version
>
> I have very recently speed tested one (sorry, but I'm not going to get in a
> flame war by telling you which one) of the very big commercial virus
> scanners, who provide a daemon and a command-line scanner. Obviously the
> only time the speed difference between the 2 matters is when the message
> batch size has grown quite large (i.e. when the server is battling to keep up).
>
> I ran with a test set of 10,000 messages. The command-line approach took 11
> seconds (processing in batches of about 50-100, whereas the daemon took 39
> seconds. The difference is mostly down to the communication overhead in
> talking to the daemon. You have to generate an HTTP GET request for each
> individual file, sending that to a socket. The daemon then scans the file
> and sends back XML saying whether the file was infected, again
> communicating via the socket.
You know the low-level details far better than I do, but it appears to me from
watching the system performance that the daemon version loads when the server
restarts and the command line version loads once for every message. Is there a way
to tell MailScanner how many messages to handle in a batch? There certainly are
plenty of messages available in the queues when the script is running.
But it sounds like the real distinction is not command-line vs daemon, but that the
current Sendmail has a different architecture. (I'd rev Sendmail again if it
weren't for the fact that the more restrictive permissions in 8.12.4 might lead to
problems I couldn't quickly solve.) As I said in my original message, the current
system gracefully handles all the incoming mail and probably wouldn't start
breathing hard with a five-fold increase in volume. But I couldn't handle much of
an increase in outbound mail with the current setup.
Is there a change I can make? Would reving MailScanner cure any of this?
MailScanner is a marvelous piece of work. It installed easily and is extremely
flexible. Based on the way it incorporates different AV tools, blocklists, and
SpamAssassin I have to give it high grades on what I regard as the most important
measure of any software: Works and plays well with other children. I recommend it
to all my friends that are running Sendmail, since they aren't publishing lists.
I don't have an urgent problem here, but it seems that growth would require either
throwing more horsepower at the system (it's a K6-2/400 now, so I could triple the
speed without spending too much money) or moving back to AMaViS, probably with
Postfix. I'd really like to hear there's a simple fix on the current system.
Van
--
----------------------------------------------------------
Sign up now for Quotes of the Day, a handful of quotations
on a theme delivered every morning.
Enlightenment! Daily, for free!
mailto:twisted at whidbey.com?subject=Subscribe_QOTD
For web hosting and maintenance,
visit Van's home page: http://www.domainvanhorn.com/van/
----------------------------------------------------------
More information about the MailScanner
mailing list