Skip to main content

Ubuntu 16.04 and ISPConfig 3.1 - stopping ClamAV

ClamAV requires quite a bit of resources to run in the background and this usually slows down the mail delivery. In the ISPConfig 3 (Under Perfect Server setup), clamAV is run within Amavis. Therefore, typical removal of clamAV commands will not remove it.

When RAM is really low, Linux kills amavis and this will cause mail not being delivered. Therefore, if we run amavis to manage anti-virus and spam, consider a minimum of 2G or 4G RAM VM/Cloud servers.

The steps to disable clamav and amavisd are:

(1) edit postfix conf - note amavis uses a special port 10024 and 10026. Therefore, if you are not using these ports, consider closing them in your firewall settings.

nano /etc/postfix/main.cf


# content_filter = amavis:[127.0.0.1]:10024
# receive_override_options = no_address_mappings

(2) Under ISPConfig 3.1, comment additional 2 lines

nano /etc/postfix/tag_as_foreign.re
#/^/ FILTER amavis:[127.0.0.1]:10024
nano /etc/postfix/tag_as_originating.re
#/^/ FILTER amavis:[127.0.0.1]:10026


Save changes and restart postfix


/etc/init.d/postfix restart

(3) stop and disable the services

/etc/init.d/clamav-daemon stop
/etc/init.d/clamav-freshclam stop
/etc/init.d/amavis stop

update-rc.d -f clamav-daemon remove
update-rc.d -f clamav-freshclam remove
update-rc.d -f amavis remove

To restore the changes, do:

update-rc.d clamav-daemon defaults
update-rc.d clamav-freshclam defaults
update-rc.d amavis defaults

The services shall start in the next reboot

(4) Under Ubuntu 16.04 and ISPConfig 3.1, also execute the following commands:

systemctl disable clamav-daemon.socket
systemctl disable clamav-daemon.service
systemctl disable clamav-freshclam.service


Note - The changes in postfix main.cf will get overwitten by an ispconfig software update when you select to "re-configure" services during update, so you should comment out the lines again after you install a ispconfig update.

Comments

Post a Comment

Popular posts from this blog

Email extract script for mbox

Problem: To extract e-mail address of the incoming mail. Analysis: 1. The e-mail address are stored in .mbox format in macOS. The .mbox for Mac is essentially an archive (can be opened and what is useful in this exercise is the file called filename .mbox). It is a .txt file. 2. Email have standard header info which contains the sender information. e.g. an e-mail header would look something like this: (information masked for privacy) From sender@example.com Fri Dec 16 00:11:30 2016 Delivered-To: recipient@domain.com Received: by IP address with SMTP id hm4csp533342wjb;         Fri, 16 Dec 2016 00:11:30 -0800 (PST) X-Received: by 10.157.51.53 with SMTP id f50mr1243482otc.34.1481875890678;         Fri, 16 Dec 2016 00:11:30 -0800 (PST) Return-Path: Received: from gateway21.websitewelcome.com (gateway21.websitewelcome.com. [IP address])         by mx.google.com with ESMTPS id r129892oib.209.2016.12.16.00.11.30         for         (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 b

ISPConfig / Pure-FTP / SSL (TLS) setup

ISPConfig comes with LetsEncrypt integrated in its panel for web domains. However, it does not automatically use the SSL cert for FTP service (PureFTP). This post describes the steps to enable the support. 1. We need an FQDN so that Lets Encrypt (LE) will be able to generate SSL under ISPConfig panel. 2. PureFTP TLS support requires a cert in .pem format which can be generated by leveraging the LE cert generated: cat /etc/letsencrypt/live/mydomain.com/privkey.pem /etc/letsencrypt/live/mydomain.com/fullchain.pem > /etc/ssl/private/pure-ftpd.pem 3. Restart PureFTP so that it will not use the new certificate 4. LE certificates need to be renewed regularly so it is necessary to create a cron job to keep the .pem file updated. Setup a crontab 0 6 * * * /etc/letsencrypt/certbot-auto -n renew --quiet --no-self-upgrade && cat /etc/letsencrypt/live/mydomain.com/privkey.pem /etc/letsencrypt/live/mydomain.com/fullchain.pem > /etc/ssl/private/pure-ftpd.pem && se