MTA/Zimbra/Webmail/Tips/Optimize
Aller à la navigation
Aller à la recherche
Optimisation des performances
Augmentation du nombre de thread pour l'IMAP
Obtention de la valeur actuelle du nombre de thread IMAP
zmprov gs `zmhostname` zimbraImapNumThreads name smtp.b2pweb.com zimbraImapNumThreads: 200
Modification de la valeur du nombre de thread IMAP
zmprov ms `zmhostname` zimbraImapNumThreads 500
On va améliorer deux points:
- amavis manipulera les fichiers en RAM et non sur disque afin de s'affranchir du ratio I/O des diques. En effet zimbra est installé sur une partition drbd.
- amavis ne contrôlera plus les fichiers provenant du serveur ( notamment noreply qui envoi énormément de mails ).
Mettre le répertoire de travail d'amavis en RAM
Il faut obtenir l'uid et le gid de l'utilisateur et du groupe zimbra
cat /etc/passwd | grep ^zimbra zimbra:x:501:501::/opt/zimbra:/bin/bash cat /etc/group | grep ^zimbra zimbra:x:501:
L'utilisateur zimbra a l' uid 501
Le groupe zimbra a le gid 501
On monte le répertoire de travail de zimbra dans une partition tmpfs ( en RAM ) en fixant la taille à 400Mo. On ajoute simplement la ligne suivante au fichier <path>/etc/fstab</path>
/dev/shm /opt/zimbra/data/amavisd/tmp tmpfs defaults,noauto,noexec,nodev,nosuid,size=400m,mode=750,uid=501,gid=501 0 0
On arrête amavis, on monte notre répertoire et on redémarre amavis
su - zimbra -c "zmamavisdctl stop" mount /opt/zimbra/data/amavisd/tmp su - zimbra -c "zmamavisdctl start"
Mettre les mails provenant du serveur en whitelist.
On insère la ligne suivante au début du fichier /opt/zimbra/conf/postfix_recipient_restrictions.cf
check_client_access hash:/opt/zimbra/postfix/conf/amavis_client_whitelist
On spécifie l'IP de notre serveur pour la whitelist et on transforme notre fichier en base de données Berkeley
echo '195.216.193.6 FILTER smtp-amavis:[127.0.0.1]:10026' >> /opt/zimbra/postfix/conf/amavis_client_whitelist /opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/amavis_client_whitelist
On va modifier le fichier de configuration d'amavis /opt/zimbra/conf/amavisd.conf.in. Pour cela on copie les lignes suivantes dans le fichier /root/zimbra-amavis-whitelist.patch
diff -u /opt/zimbra/conf/amavisd.conf.in /opt/zimbra/conf/amavisd.conf.in
--- /opt/zimbra/conf/amavisd.conf.in 2012-04-18 12:01:18.000000000 +0200
+++ /opt/zimbra/conf/amavisd.conf.in 2012-04-18 12:02:41.000000000 +0200
@@ -75,7 +75,14 @@
$enable_db = 0; # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1
-$inet_socket_port = 10024; # listen on this local TCP port(s) (see $protocol)
+#$inet_socket_port = 10024; # listen on this local TCP port(s) (see $protocol)
+$inet_socket_port = [10024, 10026]; # change from original setting
+ $interface_policy{'10026'} = 'CLIENTWHITELIST';
+ $policy_bank{'CLIENTWHITELIST'} = {
+ bypass_spam_checks_maps => [1],
+ final_spam_destiny => D_PASS,
+ final_virus_destiny => D_PASS,
+ };
$unix_socketname = "$MYHOME/amavisd.sock"; # amavisd-release or amavis-milter
$interface_policy{'SOCK'}='AM.PDP-SOCK'; # only relevant with $unix_socketname
On applique le patch
patch -p0 < /root/zimbra-amavis-whitelist.patch
On restart le MTA et amavis pour prendre en compte nos modifications
su - zimbra -c "zmmtactl restart && zmamavisdctl restart"
On vérifie que le serveur fonctionne encore correctement
su - zimbra -c "zmcontrol status"
Host smtp.b2pweb.com
antispam Running
antivirus Running
ldap Running
logger Running
mailbox Running
memcached Running
mta Running
snmp Running
spell Running
stats Running
zmconfigd Running
Activer la whitelist
Fichier <path>/opt/zimbra/conf/postfix_recipient_restrictions.cf</path>
diff -u conf/postfix_recipient_restrictions.cf conf/postfix_recipient_restrictions.cf
--- conf/postfix_recipient_restrictions.cf 2012-04-19 15:58:00.000000000 +0200
+++ conf/postfix_recipient_restrictions.cf 2012-04-18 11:43:16.000000000 +0200
@@ -1,3 +1,4 @@
+check_client_access hash:/opt/zimbra/postfix/conf/amavis_client_whitelist
%%contains VAR:zimbraServiceEnabled cbpolicyd, check_policy_service inet:127.0.0.1:10031%%
reject_non_fqdn_recipient
permit_sasl_authenticated
Fichier <path>/opt/zimbra/postfix/conf/main.cf</path>
diff -u postfix/conf/main.cf.orig postfix/conf/main.cf
--- postfix/conf/main.cf.orig 2011-08-18 15:12:20.000000000 +0200
+++ postfix/conf/main.cf 2011-08-18 15:34:20.000000000 +0200
@@ -30,9 +30,9 @@
smtpd_tls_auth_only = yes
virtual_alias_maps = proxy:ldap:/opt/zimbra/conf/ldap-vam.cf
mailq_path = /opt/zimbra/postfix/sbin/mailq
-mynetworks = 127.0.0.0/8 195.216.193.0/27 192.168.0.0/24
+mynetworks = 127.0.0.0/8 195.216.193.0/27 192.168.0.0/24 10.8.0.0/24
lmtp_connection_cache_time_limit = 4s
-transport_maps = proxy:ldap:/opt/zimbra/conf/ldap-transport.cf
+transport_maps = hash:/opt/zimbra/postfix/conf/transport,ldap:/opt/zimbra/conf/ldap-transport.cf
virtual_alias_domains = proxy:ldap:/opt/zimbra/conf/ldap-vad.cf
smtpd_sasl_auth_enable = yes
smtpd_tls_loglevel = 1
@@ -56,3 +56,5 @@
policy_time_limit = 3600
mailbox_size_limit = 0
disable_dns_lookups = no
+slow_destination_recipient_limit = 20
+slow_destination_concurrency_limit = 2
Fichier <path>/opt/zimbra/postfix/conf/master.cf.in</path>
diff -u postfix/conf/master.cf.in.orig postfix/conf/master.cf.in
--- postfix/conf/master.cf.in.orig 2011-08-18 15:11:56.000000000 +0200
+++ postfix/conf/master.cf.in 2011-08-18 15:38:02.000000000 +0200
@@ -27,6 +27,9 @@
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
+ -o smtp_bind_address=195.216.193.6
+smtplocal unix - - n - - smtp
+ -o smtp_bind_address=127.0.0.1
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - n - - smtp
-o fallback_relay=
@@ -39,6 +42,10 @@
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
+slow unix - - n - 5 smtp
+ -o syslog_name=postfix-slow
+ -o smtp_destination_concurrency_limit=3
+ -o slow_destination_rate_delay=1
%%uncomment LOCAL:postfix_enable_smtpd_policyd%%policy unix - n n - 0 spawn
%%uncomment LOCAL:postfix_enable_smtpd_policyd%% user=zimbra argv=/usr/bin/perl /opt/zimbra/libexec/zmpostfixpolicyd
#
@@ -107,3 +114,5 @@
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings
+systrans unix - n n - - pipe
+ flags= user=zimbra argv=/home/bdfweb.com/passerelle/in/in.mail.systran.php
Fichier <path>/opt/zimbra/postfix/conf/transport</path>
diff -u postfix/conf/transport.orig postfix/conf/transport
--- postfix/conf/transport.orig 2011-08-18 15:12:30.000000000 +0200
+++ postfix/conf/transport 2011-08-18 15:40:46.000000000 +0200
@@ -292,3 +292,9 @@
# Yorktown Heights, NY 10598, USA
#
# TRANSPORT(5)
+.internal smtplocal:
+leray@b2pweb.com systrans
+wanadoo.com slow:
+wanadoo.fr slow:
+orange.com slow:
+orange.fr slow:
Fichier <path>/opt/zimbra/conf/amavisd.conf.in</path>
diff -u conf/amavisd.conf.in.orig conf/amavisd.conf.in
--- conf/amavisd.conf.in.orig 2011-08-18 15:46:37.000000000 +0200
+++ conf/amavisd.conf.in 2011-08-18 15:50:17.000000000 +0200
@@ -75,7 +75,14 @@
$enable_db = 0; # enable use of BerkeleyDB/libdb (SNMP and nanny)
$enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1
-$inet_socket_port = 10024; # listen on this local TCP port(s) (see $protocol)
+#$inet_socket_port = 10024; # listen on this local TCP port(s) (see $protocol)
+$inet_socket_port = [10024, 10026]; # change from original setting
+ $interface_policy{'10026'} = 'CLIENTWHITELIST';
+ $policy_bank{'CLIENTWHITELIST'} = {
+ bypass_spam_checks_maps => [1],
+ final_spam_destiny => D_PASS,
+ final_virus_destiny => D_PASS,
+ };
$unix_socketname = "$MYHOME/amavisd.sock"; # amavisd-release or amavis-milter
$interface_policy{'SOCK'}='AM.PDP-SOCK'; # only relevant with $unix_socketname
@@ -159,7 +159,8 @@
%%uncomment VAR:zimbraAmavisQuarantineAccount%%$final_virus_destiny = D_DISCARD;
$final_banned_destiny = D_BOUNCE;
$final_spam_destiny = D_DISCARD;
-# $final_bad_header_destiny = D_PASS;
+$bad_header_quarantine_to = undef;
+$final_bad_header_destiny = D_PASS;
# $os_fingerprint_method = 'p0f:127.0.0.1:2345'; # to query p0f-analyzer.pl
@@ -238,6 +239,25 @@
# read_hash("/var/amavis/sender_scores_sitewide"),
{ # a hash-type lookup table (associative array)
+ 'neuf.fr' => -10.0,
+ 'gmail.com' => -10.0,
+ 'free.fr' => -10.0,
+ 'orange.fr' => -10.0,
+ 'legendre.fr' => -10.0,
+ 'tiscali.fr' => -10.0,
+ 'wanadoo.fr' => -10.0,
+ 'transportsvial.fr' => -10.0,
+ 'axa.fr' => -10.0,
+ 'transport-pedussaut.fr' => -10.0,
+ 'geodisbm.com' => -10.0,
+ 'morygroup.com' => -10.0,
+ 'fr.oleane.com' => -10.0,
+ 'bdfweb.com' => -10.0,
+ 'bdfweb.fr' => -10.0,
+ 'b2pweb.com' => -10.0,
+ 'b2pweb.fr' => -10.0,
+ 'smtp.b2pweb.com' => -10.0,
+ 'scanner@b2pweb.com' => -10.0,
'nobody@cert.org' => -3.0,
'cert-advisory@us-cert.gov' => -3.0,
'owner-alert@iss.net' => -3.0,
@@ -278,6 +298,9 @@
], # end of site-wide tables
});
+read_hash(\%whitelist_sender, '/etc/zimbra/whitelist');
+read_hash(\%blacklist_sender, '/etc/zimbra/blacklist');
+read_hash(\%spam_lovers, '/etc/zimbra/spamlovers');
@decoders = (
['mail', \&do_mime_decode],
Fichier <path>/opt/zimbra/conf/localconfig.xml</path>
diff -u conf/localconfig.xml.orig conf/localconfig.xml
--- conf/localconfig.xml.orig 2011-08-18 15:46:57.000000000 +0200
+++ conf/localconfig.xml 2011-08-18 15:52:00.000000000 +0200
@@ -94,6 +94,9 @@
<key name="mailboxd_truststore">
<value>/opt/zimbra/java/jre/lib/security/cacerts</value>
</key>
+ <key name="postfix_transport_maps">
+ <value>'hash:/opt/zimbra/postfix/conf/transport,ldap:/opt/zimbra/conf/ldap-transport.cf'</value>
+ </key>
<key name="zimbra_mysql_password">
@@ -125,6 +128,6 @@
<value>smtp.b2pweb.com</value>
</key>
<key name="ssl_allow_untrusted_certs">
- <value>false</value>
+ <value>true</value>
</key>
</localconfig>
Fichier <path>/opt/zimbra/conf/salocal.cf</path>
diff -u conf/salocal.cf.orig conf/salocal.cf
--- conf/salocal.cf.orig 2011-08-18 15:56:22.000000000 +0200
+++ conf/salocal.cf 2011-08-18 15:52:36.000000000 +0200
@@ -18,7 +18,7 @@
describe DSPAM_HAM DSPAM claims it is ham
score DSPAM_HAM -0.5
-trusted_networks 127.0.0.0/8 195.216.193.0/27 192.168.0.0/24
+trusted_networks 127.0.0.0/8 195.216.193.0/27 192.168.0.0/24 10.8.0.0/24
lock_method flock
# accept email from zimbra support and forumns
Ralentir le traffic sortant pour certains domaines
Transport spéciaux
Pistes à creuser
- Compiler les règles antispam [3]