9 Replies Latest reply: Apr 27, 2008 2:43 PM by Notorious bWg
Mike Matthews Level 1 Level 1 (10 points)
Hi:

In the last week or so, our Tiger (v10.4.11) mail server has really slowed down delivery of its mail. I tried putting in more RAM (now at 1.5 GB) to no avail on our G4 867 PowerMac.

We have about 20 IMAP users and 10 POP users.

It appears that mail is not being processed fast enough by the built-in virus and spam checkers. And Activity Monitor tells me that the CPU is almost constantly at 100% usage. Thus, mail stacks up in the queue (up to as many as 300 messages to be delivered) with two-hour delivery delays while 30 users pound on the mail server for new mail.

Our junk mail/virus databases are updated twice a day.

I see lot of these types of error messages in mail.log:
Apr 3 11:33:01 mail2 postfix/qmgr[9789]: warning: qmgractivecorrupt: save corrupt file queue active id C50574A93D05: No such file or directory

The freshclam.log says:
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.88.5 Recommended version: 0.92.1
DON'T PANIC! Read http://www.clamav.net/faq.html
main.cvd is up to date (version: 45, sigs: 169676, f-level: 21, builder: sven)
WARNING: Current functionality level = 9, recommended = 21

Much of the time messages appear to be scanned successfully, but amavis.log occasionally says:
Apr 3 11:50:40 mail2 /usr/bin/amavisd[18621]: (18621-07) WARN: all primary virus scanners failed, considering backups

And Activity Monitor tells me that usually two copies of clamscan are running at the same time with different PIDs. (Occasionally only one copy is shown as running, but a second process quickly appears.) And that's what seems to push the CPU load to 100%

I've read on web that 100% CPU usage for clamscan is common. But what about the multiple processes?

This thread seems to be identical to mine:

Apple - Support - Discussions - clamscan 100% CPU ...

I'm keeping service running fairly well (today for the first time the queue hasn't climbed above 50 messages; largely because several users are on the road) by manually deleting obvious junk messages, thus speeding up delivery of legitimate mail. But I can't do this forever, obviously.

Anyone have any guidance for me? Will getting clamscan to run just once solve it? If so, how do I do that?

TIA
mm

Mac OS X (10.5.2)
  • Joe Lucia Level 1 Level 1 (130 points)
    You might need to use clamd instead of clamscan. There is a similar post here http://discussions.apple.com/thread.jspa?messageID=5645624&#5645624
  • Mike Matthews Level 1 Level 1 (10 points)
    OK, since...

    • Leopard Server uses amavisd 2.5.1, SpamAssassin 3.2.1, and ClamAV 0.91.2 and uses the clamd daemon and not clamscan and
    • I have an 867 MHz G4 serving as the mail server--and it's only running Firewall, Mail, Open Directory (standalone), Web (in case I want to do webmail) and
    • I have a copy of 10.5 ready to install

    ...then maybe I should just upgrade to Leopard server. Seems like a pretty simple upgrade, according to the Upgrading and Migrating Guide.

    Perhaps this will solve the sudden delay issue that has arisen while also eliminating the various warnings we've been experiencing.

    However there's a mention in the U&M guide (pages 11-12) scares me a bit: a 1 GHz G4 or better CPU is needed to upgrade. Everywhere else I've seen it written (including elsewhere in the U&M guide) that an 867 MHz G4 is sufficient. I really think that 1 GHz reference is an error.

    Whaddya think?

    Thanks,
    mm
  • pterobyte Level 6 Level 6 (10,910 points)
    What you are seeing is normal. As soon as your mail server starts seeing more traffic (legit or not), clamscan can't cope. It is also normal for amavisd to span several clamscan processes where needed.

    Updating ClamAV and moving to clamd fixes it. Updating to Leopard as well. On the flip side, upgrading to Leopard can create other issues and brings a learning curve with it. I recommend you browse the 10.5. Server forum for known issues and evaluate which may or may not affect you before taking a decision.

    Also, I would under no circumstances update, but would set up a clean Leopard Server and move things over.

    HTH,
    Alex
  • Mike Matthews Level 1 Level 1 (10 points)
    Here's the update:

    We had been seeing CPU use maxed out constantly, with two processes for clamAV each accounting for 40+% of the CPU usage. I tried stopping virus and junk scanning earlier, but that seemed to stop the mail queue entirely (perhaps I failed to restart or something).

    So, as a short-term fix, we turned off virus scanning and spam filtering on the mail server last weekend (correctly, it appears). Doing so seems to have returned the delivery of messages to their earlier level of speed.

    I'm not sure what triggered the sudden delivery delay a couple of weeks ago. But the server was spending inordinate amounts of time filtering and scanning mail rather than delivering it.

    Medium-term, we'll either do an upgrade to Leopard or update 10.4.11 to have newer versions of clamAV and clamd, which I believe may solve the problem.

    Hope this helps someone.

    mm
  • Notorious bWg Level 1 Level 1 (0 points)
    I'm running 10.4 Server on an old 450 MHz G4 tower. Up until a few weeks ago, I never saw my CPU load approach anywhere near 100% (this server is pretty lightly loaded).

    I've recently (last few weeks) seen my CPU usage climb to 100% for most hours of every single day, and my mail delivery slow to a crawl, too. After reading the previous posts on this thread, I just now turned my virus scanning off (but left junk scanning on). It appears that it's the virus scanning that's the CPU-sucking load. Looking at my SMTP logs, the time it takes for a message to go "through" my server (from SMTP to filtering to inbox) has dropped from several minutes to just a couple seconds.

    From what I can tell from my old logs and email headers, I suspect that the virus scanner may also use a last-in-first-out order for scanning messages, which results in some messages being delivered quickly while others take hours (or even days).

    I'm not sure if this CPU-loading issue corresponds to a recent Software Update or not, but I did install one around the time this problem developed.

    ps: If you're going to turn off virus scanning, you might want to make sure your mail queue is empty first (under the MAINTENANCE tab).
  • davidh Level 4 Level 4 (1,890 points)
    As I've said elsewhere:

    10.4 server by default uses clamscan instead of clamd, which is quite a bit slower. This was due to some past licensing issues/kerfuffle - ie: Apple had no choice but to go with clamscan.
    As far as I know that is no longer true.

    So certainly one advantage of updating clamav will be more efficient scanning.
    A good method (tutorial) is here:
    http://osx.topicdesk.com/content/view/62/41/
    (please feel free to make a contribution. I have no affiliation with the site)

    You will truly will be far better off using Postfix's capabilities to reject spam up front rather than burdening your server with processing most or all of it via spamassassin &clamav.

    As I always recommend, read up at postfix.org , get the Book of Postfix - http://www.postfix-book.com
    and as well, there is a safely pre-chewed tutorial at the topicdesk.com site ("Frontline defense") - safe to use but backup first of course.

    Far better to understand what that tutorial is accomplishing
    and how/why.

    Plenty of good reading at tthe postfix site, http://www.postfix.org/docs.html - see the UCE/Virus section and note that none of them are OS X specific: you don't need to install anything with regards to SASL, PAM or postfix itself, and a few other minor adjustments would be needed to use those tutorials as-is. But it can be done easily (I did so personally a ways before the topicdesk article was available).
  • Notorious bWg Level 1 Level 1 (0 points)
    FYI, it's definitely the virus filtering that's the CPU hog. After turning off virus filtering, my CPU loading instantly dropped to its normal 10-20% and has stayed there all day long. And my mail delivery is once again nearly instantaneous.
  • davidh Level 4 Level 4 (1,890 points)
    Sure, and you're running clamscan with OS X Server 10.4

    You want clamd, you have clamscan
  • Notorious bWg Level 1 Level 1 (0 points)
    Thanks for posting the tutorial on switching to it! I'll probably do it this week.