From: Mark Martinec (no email)
Date: Thu Aug 01 2002 - 10:24:42 EDT
Greg,
> Are there any larger scale Postfix sites out there running anti-virus
> solutions? By larger scale, I mean sites that usually run at 100 more
> concurrent email deliveries all long. I've been rummaging through the
> Postfix mailing list archives, and looked at many
> of the Postfix virus solutions folks have suggested such as Amavis,
> avcheck, sophie, sophos sweep, Panda, trophie, Antivir, DrWeb, etc. etc.
>
> I know that many people have heartily recommended these solutions to have
> worked for them, but I'm wondering how many have really used them
> in heavy load situations vs. personal workstation?
>
> Like Amavisd looks to be really memory fat with it's Perl based daemon,
> and supporting cast of requirement
> packages. Yeah, I know it works on my home system, but it will it work in
> heavy production (if I throw 4gb of core memory it's way to use).
Yes, amavisd (and amavisd-new even more so) is memory fat, being a Perl
program. But all its children are forked from a parent process that
has all the code and external modules already pulled-in and compiled.
Most modern Unixes do a copy-on-write for pages in a forked process,
so you end up with all the child processes sharing the same memory for
their code.
Did you look at amavisd-new ?
http://www.ijs.si/software/amavisd/
amavisd-new tries to eliminate most of the overhead in amavisd, and is
targeted at the kind of needs that you have. Works best with Postfix.
(of course you still need the actual av-scanner, preferably daemonized).
See also:
http://www.ijs.si/software/amavisd/README.performance
> By larger scale, I mean sites that usually run at 100 more
> concurrent email deliveries all long. I've been rummaging through the
Having 100+ concurrent email deliveries does not mean you need
100 av scanner processes running. Let Postfix worry about processing
all these (possibly slow) SMTP sessions, then feed a constant-width
stream of SMTP content-filtering requests to amavisd-new. The width
of the pipe should be determined by the how many parallel content-filtering
SMTP streams your machines can run, not by some 'current CPU load'
or current number of SMTP sessions to the world.
That would make perhaps 3 amavisd-new child processes
plus 3 Sophie child processes PER CPU.
I find the mail rate to be a better metric, than the number of
parallel SMTP sessions. So what is your mail rate (e.g. per hour)?
> Sophos looks like they are very serious about keeping their virus
> definitions current. But to use it, do I really have to use the
> conglomeration of Amavisd --> sophie --> sophos_lib ? Make that 8gb of core.
The number of Sophie child processes should match the number of
amavisd-new child processes. You can use Sophos sweep instead,
but this is prohibitively slow if you start it anew up for each new mail
on a busy mail server.
Btw, for updating Sophos IDS files see:
http://www.ijs.si/software/sophos-ide-update/
| From: Bennett Todd <>
| Subject: Re: Any larger scale Postfix anti-virus sites ?
| In-reply-to: <1028076568 dot 19855 dot 19 dot camel at loke>
| Message-id: <20020731170947 dot GB5210 at rahul dot net>
|
| I've set up a pretty large anti-virus-scanning email relay with
| Postfix; tended to serve 3-5 msgs/sec all day long, with bursts far
| higher of course. For historical reasons it had an architecture
| somewhat different from what I'd built today.
|
| One thing I'd advise, when shopping for an A/V scanner: give top
| priority to robustness in the face of malformed messages (this is a
| grave weak spot of some A/V email scanners), and to reasonably
| timely signature updates. Aside from making sure it's available as a
| persistent SMTP proxy that can handle multiple messages, either by
| preforking or using threads or whatever, don't worry so much about
| performance. Performance is _Cheap_.
| ...
Thanks for your thoughts and experience.
| Anybody know of a good MIME-analyzing standalone A/V scanner or
| framework into which you can drop an A/V scanner, that canonicalizes
| ambiguous or invalid constructs, and never ever cores on invalid
| messages?
Using the Postfix 'disable_mime_input_processing = no' setting
and the rest of these new features, provides a useful front-end
for perhaps less-than-desired level of rebustness in the MIME processing
in content filters.
Mark
-- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !! Mark Martinec (system manager) tel +386 1 4773-575 !! !! J. Stefan Institute, Jamova 39 fax +386 1 2519-385 !! !! SI-1000 Ljubljana, Slovenia !! !!!!!!!!!!!!!!!!!!!!!!!!!! http://www.ijs.si/people/mark/ !!!! - To unsubscribe, send mail to with content (not subject): unsubscribe postfix-users
|
|
|