Hi Guys
I need some help with perhaps a general config tweak or perhaps some
completely new suggestions.
We have a mail server with the following configuration :-
Exim 4.30 (MySQL Database backend - Virtual Mailboxes)
Amavisd-new
F-PROT Antivirus
Spamassassin
Qpopper
Hardware Config :-
Dual Intel P4 2.8
2 GIG Ram
1 x 120 GIG IDE Hard Drive
Currently we have about 6000 mail boxes on the server. We seem to be running
into some very heavy queues of mail not being delivered to the mailboxes on
the local server. This starts at about 8am in the morning when mail seems to
be queued on the server, some of them for even up to 8 hours. As the day
comes to the end, at about 7PM, all the mail that queued for the day seems
to have been delivered to the mailboxes on the server which is causing a
problem for us not delivering mail on time as they come into the server.
We have been playing with adding amavis processes, but that didn't seem to
have done the trick as it puts additional loads on the server, causing the
server to take strain, sometimes reaching a load of over 20 with high IOWAIT
stats as well.
We have moved the amavisd-new, spamassassin and now ClamAV onto a totally
separate server which caused the load on the primary mail server to come
down to under 1, IOWAIT is also very low. The server seems to be idleing
along most of the times, however mail keeps on queueing on the server for
some reason. All new mails coming into the server gets processed
immediately, but those in the queue seems to be stuck till after the end of
day when they are processed and delivered.
The server running amavisd-new, spamassassin and ClamAV also has aload of
under 1 now, which to me sounds like we are heading in the right direction
having two servers doing the job. We currently have 12 amavisd processes
running on the server. ClamAV is configured as a socket on the server and it
seems like it's working pretty well, we just can't get rid of the queues....
We have quite a bit of tweaking in the exim config file, of which a copy is
included so that you might look at the config and perhaps send some
suggestions of what we are doing wrong.
Any suggestions are welcome !!!
Regards
RC
[root@mx01 root]# cat /etc/exim/exim4.conf
system_filter = /usr/local/etc/exim/sa
# SQL QUERIES
MYSQL_AUTH = SELECT domain FROM relays WHERE domain="${sender_host_address}" and relay_type="2"
MYSQL_RELAY = SELECT domain FROM relays WHERE domain="${sender_host_address}" and relay_type="2"
MYSQL_RELDOM = SELECT domain FROM relays WHERE domain = "$domain" and relay_type="3"
MYSQL_RELETRN = SELECT domain FROM relays WHERE domain = "$domain" and relay_type="1"
MYSQL_QDOMAINS = SELECT domain FROM relays WHERE domain = "$domain" and relay_type="3"
MYSQL_REJECT = SELECT domain FROM relays WHERE domain = "${sender_host_address}" and relay_type="4"
tls_advertise_hosts = *
tls_certificate = /usr/local/etc/ssl/smtp.crt
tls_privatekey = /usr/local/etc/ssl/smtp.key
tls_dhparam = /usr/local/etc/ssl/smtp.pem
#local_interfaces = 0.0.0.0.25 : 127.0.0.1.10025
local_interfaces = 0.0.0.0.25 : 10.0.0.8.10025 : 127.0.0.1.10025
# MYSQL SERVER
hide mysql_servers = 10.0.0.27/dbname/username/password
# SMTP BANNER
smtp_banner = SMTP
# EXIM CONFIG
primary_hostname = mx01.xxx.com
domainlist local_domains = ${lookup mysql{SELECT distinct domain FROM relays \
WHERE domain="$domain" AND relay_type="5" AND in_use="1" }}:smtp.xxx.com:mx01.xxx.com:mailman.xxx.com:mx02.xxx.com
domainlist relay_to_domains = ${lookup mysql{SELECT domain FROM relays \
WHERE domain="$domain"}}:mysql;MYSQL_RELETRN:mysql;MYSQL_RELDOM:mx02.xxx.com
hostlist relay_from_hosts = net-mysql;MYSQL_RELAY:net-mysql;MYSQL_AUTH:/usr/local/etc/exim/relays
queue_domains = mysql;MYSQL_RELETRN
# queue_domains = mysql;MYSQL_RELETRN:mysql;MYSQL_QDOMAINS
host_reject_connection = net-mysql;MYSQL_REJECT
trusted_users = web:root:exim
# MAX MESSAGE SIZE
message_size_limit = 10M
return_size_limit = 100K
# ETRN
smtp_etrn_command = "/usr/local/sbin/exim -R \
\"${if match {$domain}{^[@#]}{${substr_1:$domain}}{$domain}}\""
smtp_etrn_serialize = false
# ACL Configuration
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_etrn = check_etrn
acl_smtp_data = acl_check_content
# EXIM USER
exim_user = root
exim_group = mail
# EXIM EXTRA CONFIGURATION - Performance stuff.
split_spool_directory
## The value of this option limits the number of MAIL commands that Exim is prepared to accept over a single SMTP connection, whether or not each command results in the transfer of a message
#smtp_accept_max_per_connection = 200
#smtp_accept_max_per_connection = 20
smtp_accept_max_per_connection = 100
##
## This option limits the number of delivery processes that Exim starts automatically when receiving messages via SMTP, whether via the daemon or by the use of -bs or -bS. If the value of the option is greater than zero, and the number of messages received in a single SMTP session exceeds this number, subsequent messages are placed on the queue, but no delivery processes are started
#smtp_accept_queue_per_connection = 25
smtp_accept_queue_per_connection = 100
##
## This option specifies a maximum number of waiting SMTP connections. Exim passes this value to the TCP/IP system when it sets up its listener. Once this number of connections are waiting for the daemon's attention, subsequent connection attempts are refused at the TCP/IP level
smtp_connect_backlog = 50
#smtp_connect_backlog = 150
##
## This option specifies the maximum number of simultaneous incoming SMTP calls that Exim will accept
smtp_accept_max = 1500
#smtp_accept_max = 300
##
## This option restricts the number of simultaneous IP connections from a single host (strictly, from a single IP address) to the Exim daemon
#smtp_accept_max_per_host = 100
smtp_accept_max_per_host = 25
##
## If the number of simultaneous incoming SMTP calls handled via the listening daemon exceeds this value, messages received by SMTP are just placed on the queue
#smtp_accept_queue = 70
smtp_accept_queue = 300
##
## If the system load average ever gets higher than this, incoming SMTP calls are accepted only from those hosts that match an entry in smtp_reserve_hosts.
smtp_load_reserve = 38
##
## When this option is set, a queue run is abandoned if the system load average becomes greater than the value of the option
#deliver_queue_load_max = 20
deliver_queue_load_max = 30
##
## This controls the maximum number of queue runner processes that an Exim daemon can run simultaneously. This does not mean that it starts them all at once, but rather that if the maximum number are still running when the time comes to start another one, it refrains from starting another one
queue_run_max = 30
##
## If the system load average is higher than this value, incoming messages from all sources are queued, and no automatic deliveries are started. If this happens during local or remote SMTP input, all subsequent messages on the same connection are queued
queue_only_load = 30
##
## If this option is set greater than zero, it specifies the maximum number of original recipients for any message. Additional recipients that are generated by aliasing or forwarding do not count
recipients_max = 100
## The four check_... options allow for checking of disk resources before a message is accepted. check_spool_space and check_spool_inodes check the spool partition if either value is greater than zero
check_spool_inodes = 100
check_spool_space = 20M
##
smtp_accept_reserve = 400
smtp_reserve_hosts = chaos.xxx.com:10.0.0.27:127.0.0.1:10.0.0.52
# IDENT
rfc1413_hosts = *
rfc1413_query_timeout = 0s
# The setting below causes Exim to do a reverse DNS lookup on all incoming
# IP calls, in order to get the true host name. If you feel this is too
# expensive, you can specify the networks for which a lookup is done, or
# remove the setting entirely.
#host_lookup = *
# Allow funy hello characters..
helo_allow_chars = _
# QUEUE Options
auto_thaw = 5m
ignore_bounce_errors_after = 1h
timeout_frozen_after = 10m
# ExiList Hack
EXILIST_HOME=/var/www/html/exilist
EXILIST_BIN=EXILIST_HOME/exilist.mgr.pl
EXILIST_UID=apache
EXILIST_GID=web
######################################################################
# ACL CONFIGURATION #
# Specifies access control lists for incoming SMTP mail #
######################################################################
begin acl
#acl_check_blist:
#deny hosts = partial()lsearch;/etc/exim/sa-blacklist.current.domains
# message = $sender_host_address Blocked by
http://www.stearns.org/sa-blacklist/
check_etrn:
accept hosts = *
deny hosts = *
message = Access Denied!! !!!! the flip flop
acl_check_rcpt:
accept hosts = : 127.0.0.1
deny senders = :
domains = domain1.com : domain2.com
message = No valid Sender specified
deny local_parts = ^.*[@%!/|] : ^\\.
accept local_parts = postmaster
domains = +local_domains
deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
# dnslists = sbl-xbl.spamhaus.org:relays.ordb.org:dul.dnsbl.sorbs.net:multi.surbl.org
dnslists = sbl-xbl.spamhaus.org:relays.ordb.org:multi.surbl.org
accept domains = +local_domains
endpass
message = unknown user
verify = recipient
delay = 20s
accept domains = +relay_to_domains
endpass
message = unrouteable address
verify = recipient
delay = 20s
accept hosts = +relay_from_hosts
# Added recently by GM
# deny
# message = unknown user
# !verify = recipient/callout=20s,defer_ok,use_sender
# delay = ${eval:$rcpt_fail_count*10 + 20}s
accept authenticated = *
delay = 20s
# deny message = relay not permitted - admin@???
acl_check_content:
deny message = This message contains an unwanted file extension ($found_extension)
demime = scr:com:vbs:bat:lnk:pif
accept
######################################################################
# ROUTERS CONFIGURATION #
# Specifies how addresses are handled #
######################################################################
# THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT! #
# An address is passed to each router in turn until it is accepted. #
######################################################################
begin routers
dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_email
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more
amavis:
driver = manualroute
transport = amavis
route_list = "* localhost byname"
self = send
condition = "${if or {{eq {$interface_port}{10025}} \
{eq {$received_protocol}{spam-scanned}} \
{eq {$sender_address}{}} \
}{0}{1}}"
autorespond:
driver = accept
condition = ${if eq{} {${lookup mysql{SELECT autoresponder FROM email WHERE autoresponder='YES' AND address="$local_part" AND domain="$domain" AND in_use='1'}}}{no}{yes}}
no_verify
no_expn
unseen
transport = auto_responder
email:
driver = accept
condition = ${if eq{} {${lookup mysql {SELECT address FROM email WHERE address="$local_part" AND domain="$domain" AND in_use='1' and email_type="1" }}}{no}{yes}}
transport = local_email
wildcards:
driver = redirect
file_transport = address_file
pipe_transport = address_pipe
data = ${lookup mysql{SELECT pointer FROM email WHERE address="@" AND domain="$domain" AND email_type='3'}}
system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}
file_transport = address_file
pipe_transport = address_pipe
aliases:
driver = redirect
file_transport = address_file
pipe_transport = address_pipe
data = ${lookup mysql{SELECT pointer FROM email WHERE address="$local_part" AND domain="$domain" AND email_type="2"}}
exilist_post_router:
driver = accept
verify_sender = false
condition = ${lookup mysql {select id from lists where name='$local_part' and domain='$domain'}}
transport = exilist_post_transport
exilist_bounce_router:
driver = accept
verify_sender = false
condition = ${if match {$local_part}{^[0-9]+_return_[0-9]+\\.[A-Za-z0-9-]+\$}{1}{0}}
transport = exilist_bounce_transport
localuser:
driver = accept
check_local_user
transport = local_delivery
cannot_route_message = Unknown user
######################################################################
# TRANSPORTS CONFIGURATION #
######################################################################
# ORDER DOES NOT MATTER #
# Only one appropriate transport is called for each delivery. #
######################################################################
begin transports
amavis:
driver = smtp
hosts = 10.0.0.52
port = 10024
allow_localhost
user = exim
hosts_override
remote_email:
driver = smtp
user = exim
local_email:
driver = appendfile
file = /var/mail/$domain/$local_part
create_directory
delivery_date_add
envelope_to_add
return_path_add
user = web
group = web
mode = 0660
directory_mode = 0770
quota = ${lookup mysql{select mquota from email where address="$local_part" and domain="$domain"}{$value} {5M}}
quota_warn_threshold = 90%
quota_warn_message = "\
To: $local_part@$domain\n\
Subject: Your mailbox\n\n\
Greetings\n\n\
Your mailbox is using 90% of its quota.\n\
For further information contact your ISP Support.\n\n\
\n\n\"
auto_responder:
driver = autoreply
reply_to = "${local_part}@${domain}"
from = "${local_part}@${domain}"
to = "${sender_address}"
once = "/autoreply/${domain}-${local_part}"
once_repeat = 500s
# headers = "MIME-Version: 1.0\n\
#Content-type: text/html; charset=iso-8859-1\n"
subject = ${lookup mysql{SELECT arsubject FROM email WHERE address="$local_part" AND domain="$domain"}{$value}{Automatic reply from ${local_part}@${domain}}}
text = ${lookup mysql{SELECT artext FROM email WHERE address="$local_part" AND domain="$domain"}{$value}}
user = web
group = web
exilist_post_transport:
driver = pipe
command = EXILIST_BIN "${lookup mysql {select id from lists where name='$local_part' and domain='$domain'}}" post none $message_id $sender_address $reply_address
user = EXILIST_UID
group = EXILIST_GID
current_directory = EXILIST_HOME
home_directory = EXILIST_HOME
return_fail_output
exilist_bounce_transport:
driver = pipe
command = EXILIST_BIN ${extract{1}{_}{$local_part}} ${extract{2}{_}{$local_part}} ${extract{3}{_}{$local_part}} $message_id $sender_address $reply_address
user = EXILIST_UID
group = EXILIST_GID
current_directory = EXILIST_HOME
home_directory = EXILIST_HOME
return_fail_output
local_delivery:
driver = appendfile
file = /var/mail/$domain/$local_part
delivery_date_add
envelope_to_add
return_path_add
#localuser:
# driver = accept
# check_local_user
# transport = local_delivery
# cannot_route_message = Unknown user
######################################################################
# RETRY CONFIGURATION #
######################################################################
begin retry
# Domain Error Retries
# ------ ----- -------
* quota
* * F,2h,15m; G,16h,1h,1.5; F,3d,6h
######################################################################
# REWRITE CONFIGURATION #
######################################################################
# There are no rewriting specifications in this default configuration file.
begin rewrite
######################################################################
# AUTHENTICATION CONFIGURATION #
######################################################################
# There are no authenticator specifications in this default configuration file.
begin authenticators
######################################################################
# CONFIGURATION FOR local_scan() #
######################################################################
# If you have built Exim to include a local_scan() function that contains
# tables for private options, you can define those options here. Remember to
# uncomment the "begin" line. It is commented by default because it provokes
# an error with Exim binaries that are not built with LOCAL_SCAN_HAS_OPTIONS
# set in the Local/Makefile.
# begin local_scan
# End of Exim configuration file
[root@mx01 root]#
