----- Message from Patrick Ben Koetter <[email protected]> ---------
Date: Sun, 21 Mar 2021 21:15:50 +0100
From: Patrick Ben Koetter <[email protected]>
Subject: Re: Ramdisk question
To: [email protected]
Simon,
* Simon Wilson <[email protected]>:
I've configured a 2GB ramdisk and mounted it at /var/spool/amavisd/tmp,
owned by amavis user. Amavis is using this, I see folders appearing as
amavisd runs. With a maximum email size of 25M, I'm assuming this is big
enough, but is there a definitive measure? And will amavisd use it for
unpacking called scans - e.g. clam?
there is no definite measure. In general the formula would be
max. message size x max. concurrent amavis processes = max.
required space
Max processes = 3; max email size = 25M; 3x25 = 75MB
but there are a few unknown factors to tell if that is sufficient, because
- attachments are usually base64 encoded. When they become base64-decoded and
written as files to disk, their size *decreases* about by 1/3rd.
- when extracted, file sizes in archives *increase*. How much depends on the
file type and the packers efficiency that packed file in the first.
- if you have $preserve_evidence enabled amavis will not remove a message and
all of its parts after a failed scan attempt to allow for inspection. The
files will remain there until you remove them manually.
Personally I think you are best off, if you double the RAM disk the size of
the formula I mentioned in the first. Enable $preserve_evidence for debugging
purposes only and monitor the RAM discs size and create an alarm if size
shrinks too much.
Thanks, will keep an eye on this.
As for you question regardings "unpacking called scans": Amavis will unpack a
message into a subdirectory of /var/spool/amavisd/tmp. It will create a
separate file for each (MIME) message part contained in the mail message.
Additionally – and only if you've configured amavis to put a copy of
the whole
message into the subdirectory using @keep_decoded_original_maps – it
will also
put the complete message in there. Only after it has prepared the message for
inspection it will call other scanners, such as clamd, to inspect the message
and its parts.
*from amavis.conf:
@keep_decoded_original_maps = (new_RE(
qr'^MAIL$', # let virus scanner see full original message
qr'^MAIL-UNDECIPHERABLE$', # same as ^MAIL$ if mail is undecipherable
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
# qr'^Zip archive data', # don't trust Archive::Zip
));
More clamd than amavis - if /var/spool/amavisd/tmp is mounted to a
ramdisk and amavisd unpacks there, does clam scan from there also, or
copy to its own location to scan?
HTH,
Surely does. Thank you.
p@rick
----- End message from Patrick Ben Koetter <[email protected]> -----
--
Simon Wilson
M: 0400 12 11 16
